Hello Daniele/All, While testing Userconntrack (Branch - ovs-userconntrack_20151115), we found the following issue.
Problem: ICMP Blocked port can be hacked, if same ICMP request id is used while sending the packet from the blocked side of the firewall. Test Setup: Openvswitch Branch - ovs-userconntrack_20151115 DPDK Branch - dpdk-2.2.0 303/1 <-> dpdk0 - port 1 303/3 <-> dpdk1 - port 2 Agilent Configuration: 303/1 - 35.35.35.1/24 303/3 - 35.35.35.101/24 Traffic Configuration: 303/1 - 35.35.35.1 to 35.35.35.101 - ICMP request packet with id=0 303/3 - 35.35.35.101 to 35.35.35.1 - ICMP request packet with id=0 Firewall Flow Rules: ovs-ofctl del-flows br0 ovs-ofctl add-flow br0 "table=0,priority=1,action=drop" ovs-ofctl add-flow br0 "table=0,priority=10,arp,action=normal" ovs-ofctl add-flow br0 "table=0,priority=100,icmp,ct_state=-trk,action=ct(table=1)" ovs-ofctl add-flow br0 "table=1,in_port=1,icmp,ct_state=+trk+new,action=ct(commit),2" ovs-ofctl add-flow br0 "table=1,in_port=1,icmp,ct_state=+trk+est,action=2" ovs-ofctl add-flow br0 "table=1,in_port=2,icmp,ct_state=+trk+new,action=drop" ovs-ofctl add-flow br0 "table=1,in_port=2,icmp,ct_state=+trk+est,action=1" ovs-ofctl dump-flows br0 Steps to Reproduce: 1. With the above configuration, start bidirectional traffic in Agilent. 2. Traffic from 303/3 to 303/1 is successful. 3. Expecting traffic from 303/3 to 303/1 should not pass through the firewall. Regards, Subramani. ________________________________ From: Subramani Paramasivam (Cisco) Sent: 10 May 2016 12:31:53 To: diproiet...@vmware.com Cc: Soumyadeep Chowdhury (Cisco); Sourabh Bansal (Cisco); Karuppusamy Marappagounder (NEPC) Subject: In ovs-userconntrack_20151115 Branch - ICMP Blocked port can be hacked, if same icmp request id is used while sending the packet from the blocked side of the firewall. Hello Daniele, While testing Userconntrack (Branch - ovs-userconntrack_20151115), we found the following issue. Problem: ICMP Blocked port can be hacked, if same ICMP request id is used while sending the packet from the blocked side of the firewall. Test Setup: Openvswitch Branch - ovs-userconntrack_20151115 DPDK Branch - dpdk-2.2.0 303/1 <-> dpdk0 - port 1 303/3 <-> dpdk1 - port 2 Agilent Configuration: 303/1 - 35.35.35.1/24 303/3 - 35.35.35.101/24 Traffic Configuration: 303/1 - 35.35.35.1 to 35.35.35.101 - ICMP request packet with id=0 303/3 - 35.35.35.101 to 35.35.35.1 - ICMP request packet with id=0 Firewall Flow Rules: ovs-ofctl del-flows br0 ovs-ofctl add-flow br0 "table=0,priority=1,action=drop" ovs-ofctl add-flow br0 "table=0,priority=10,arp,action=normal" ovs-ofctl add-flow br0 "table=0,priority=100,icmp,ct_state=-trk,action=ct(table=1)" ovs-ofctl add-flow br0 "table=1,in_port=1,icmp,ct_state=+trk+new,action=ct(commit),2" ovs-ofctl add-flow br0 "table=1,in_port=1,icmp,ct_state=+trk+est,action=2" ovs-ofctl add-flow br0 "table=1,in_port=2,icmp,ct_state=+trk+new,action=drop" ovs-ofctl add-flow br0 "table=1,in_port=2,icmp,ct_state=+trk+est,action=1" ovs-ofctl dump-flows br0 Steps to Reproduce: 1. With the above configuration, start bidirectional traffic in Agilent. 2. Traffic from 303/3 to 303/1 is successful. 3. Expecting traffic from 303/3 to 303/1 should not pass through the firewall. Regards, Subramani. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
_______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
