Excerpts from Jeremy Stanley's message of 2017-02-20 20:08:00 +0000: > On 2017-02-20 14:36:15 -0500 (-0500), Clint Byrum wrote: > > What exactly is the security concern of the metadata service? Perhaps > > those concerns can be addressed directly? > [...] > > A few I'm aware of: >
Thanks! > 1. It's something that runs in the control plane but needs to be > reachable from untrusted server instances (which may themselves even > want to be on completely non-routed networks). > As is DHCP > 2. If you put a Web proxy between your server instances and the > metadata service and also make it reachable without going through > that proxy then instances may be able to spoof one another > (OSSN-0074). > That's assuming the link-local approach used by the EC2 style service. If you have DHCP hand out a metadata URL with a nonce in it, that's no longer an issue. > 3. Lots of things, for example facter, like to beat on it heavily > which makes for a fun DDoS and so is a bit of a scaling challenge in > large deployments. > These are fully mitigated by caching. > There are probably plenty more I don't know since I'm not steeped in > operating OpenStack deployments. Thanks. I don't mean to combat the suggestions, but rather just see what it is exactly that makes us dislike the metadata service. _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
