| *** openstack has joined #openstack-zephyr | 04:26 | |
| red|kiwi | looks like we got the bots approved, good work kitsuneninetails :) | 04:43 |
|---|---|---|
| red|kiwi | Also, this channel is now logged to http://eavesdrop.openstack.org/irclogs/%23openstack-zephyr/ - might want to add that to the topic, kitsuneninetails | 04:45 |
| *** hiroyuki-i has quit IRC | 05:00 | |
| *** hiroyuki-i has joined #openstack-zephyr | 05:34 | |
| *** hiroyuki-i has quit IRC | 05:40 | |
| *** hiroyuki-i has joined #openstack-zephyr | 06:00 | |
| *** ChanServ changes topic to ""Discussion on Zephyr "noauth" Neutron Testing Framework (https://launchpad.net/zephyr-neutron). This channel is logged to: http://eavesdrop.openstack.org/irclogs/%23openstack-zephyr/"" | 06:54 | |
| *** ChanServ changes topic to "Discussion on Zephyr "noauth" Neutron Testing Framework (https://launchpad.net/zephyr-neutron). This channel is logged to: http://eavesdrop.openstack.org/irclogs/%23openstack-zephyr/" | 06:55 | |
| kitsuneninetails | https://review.gerrithub.io/#/c/255416/ for the spoofing test additions | 06:56 |
| kitsuneninetails | itsuugo: ^^ | 06:57 |
| itsuugo | I think that the icmp echo to the spoofed ip should be discarded and don't have to reach the vm | 06:59 |
| kitsuneninetails | The anti-spoofing only looks at source IP, so the echo request has a valid packet, doesn't it? | 07:27 |
| kitsuneninetails | It's the response that has an invalid source IP | 07:27 |
| kitsuneninetails | So, the request should reach the destination and the reply get dropped. | 07:31 |
| kitsuneninetails | But either way, the round trip will fail, which is what is being tested (I already test single-way in the other tests). | 07:31 |
| *** ChanServ changes topic to "Discussion on Zephyr "noauth" Neutron Testing Framework (https://launchpad.net/zephyr-neutron) | channel logs: http://eavesdrop.openstack.org/irclogs/%23openstack-zephyr/" | 07:32 | |
| *** ryu25 has joined #openstack-zephyr | 07:47 | |
| itsuugo | I guess that the only traffic permitted to an instance is the one that match the mac and the ip of the neutron ports in both directions, | 08:20 |
| itsuugo | I don't see the point to receive traffic that is not intended to you | 08:20 |
| itsuugo | you can sniff traffic in that way | 08:20 |
| itsuugo | IMHO is a security hole if you don't discard the traffic not related to the neutorn ip/mac pair in both directions | 08:21 |
| kitsuneninetails | Well | 08:32 |
| kitsuneninetails | It's not my design :) | 08:32 |
| kitsuneninetails | I'm just testing it | 08:32 |
| kitsuneninetails | But the design is very specifically set to look at source_ip. That much I know | 08:33 |
| kitsuneninetails | But I kind of disagree with your assessment | 08:33 |
| kitsuneninetails | How would I know which dest IPs are valid and which are not? | 08:33 |
| kitsuneninetails | If I want to ping 8.8.8.8, how does the network know that's an invalid IP? | 08:33 |
| kitsuneninetails | or valid? | 08:33 |
| kitsuneninetails | To set up an allowed address pair for every IP a VM might or might not access would be cumbersome IMHO, and too rigid. That's what security groups are for. | 08:34 |
| kitsuneninetails | And for the receiving VM, it would only ever accept packets that have a dest_ip matching an address on the interface, so that should be safe | 08:35 |
| *** red|trela has joined #openstack-zephyr | 08:58 | |
| *** hiroyuki-i has quit IRC | 08:58 | |
| *** hiroyuki-i has joined #openstack-zephyr | 09:10 | |
| ryu25 | indeed the current implementation of spoofing in midonet only deals with traffic originating from the VM (protecting the other VMs in the network). | 09:33 |
| ryu25 | it's an interesting point, and I think the definitive answer will come from the reference implemetnation | 09:33 |
| ryu25 | I cannot answer this from top of head, but I'm sure it's easy to find out | 09:35 |
| yamamoto | is there anything preventing zephyr from moving to stackforge? | 09:45 |
| kitsuneninetails | I don't think so | 10:14 |
| kitsuneninetails | just my time and following the process | 10:15 |
| itsuugo | kitsuneninetails ryu25 sorry for the late response, I meant that the anti spoofing rules should permit only the traffic originated from the vm and destinated to the vm | 11:01 |
| itsuugo | in inbound you filter by dst mac and dst ip | 11:01 |
| itsuugo | and in outbound by src mac and src ip | 11:02 |
| itsuugo | otherwise is easy to arpspoof | 11:02 |
| itsuugo | because you can generate fake GARP | 11:02 |
| yamamoto | itsuugo: midonet doesn't have arp spoof protection? | 11:32 |
| yamamoto | kitsuneninetails: may i help the process? it isn't difficult. you might need to resubmit unmerged reviews but that's all. | 11:34 |
| *** hiroyuki-i has quit IRC | 11:36 | |
| *** yamamoto has quit IRC | 11:42 | |
| itsuugo | I guess that the only arp spoof protection are the antispoofing rules that are used for outbound traffic | 11:42 |
| itsuugo | but I guess we need rules in inbound too | 11:42 |
| itsuugo | BTW there is an issue with this https://midobugs.atlassian.net/browse/MI-285 | 11:43 |
| *** yamamoto has joined #openstack-zephyr | 11:44 | |
| *** yamamoto has quit IRC | 11:51 | |
| *** yamamoto has joined #openstack-zephyr | 11:51 | |
| *** yamamoto has quit IRC | 12:14 | |
| *** yamamoto has joined #openstack-zephyr | 12:54 | |
| *** yamamoto has quit IRC | 13:41 | |
| *** yamamoto has joined #openstack-zephyr | 13:56 | |
| *** ryu25 has quit IRC | 14:30 | |
| *** red|trela has quit IRC | 15:42 | |
| *** yamamoto has quit IRC | 16:25 | |
| *** yamamoto has joined #openstack-zephyr | 16:26 | |
| *** red|kiwi has quit IRC | 16:33 | |
| *** yamamoto has quit IRC | 16:39 | |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!