Gateway_less_Fwd: ACL should have rule to deny traffic to ip-fabric
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Juniper Openstack | Status tracked in Trunk | |||||
R4.1 |
Fix Committed
|
High
|
Sivakumar Ganapathy | |||
Trunk |
Fix Committed
|
High
|
Nagendra Prasath |
Bug Description
Consider a VN vn1 that uses ip-fabric as provider. The agent adds a
default route to both VRFs so that these VRFs can use the default
route to communicate with destinations outside IPAM for ip-fabric.
This unintentionally allows communication between endpoints in vn1
and ip-fabric even if there's no network policy to explicitly allow
it.
Suggested fix is for schema transformer to always add a rule to the
network ACL at the end to deny traffic to ip-fabric. This should be
done for all VNs that use ip-fabric as provider. The ACL needs to be
generated and the rule added even if there are no network policies
associated with the VN. Note that this rule will not be matched if
the user explicitly adds a policy to allow communication between
vn1 and ip-fabric.
Conversely, the schema transformer also needs to add a rule to the
end of the network ACL for ip-fabric to deny traffic from any VN.
Note that this rule will not be matched if the user explicitly adds
a policy to allow communication between ip-fabric and specific VNs.
description: | updated |
description: | updated |
information type: | Proprietary → Public |
Following changes are required to fix this issue:
1. We will add a new property called 'provider-network' to virtual-network object in schema. For now, it will be a read-only property that will be internally set to True only for ip-fabric network. In dbe_resync, we will change it to True for ip-fabric for upgrade case.
2. In schema transformer, for any network with this property set to True, we will generate an ACL rule to allow local<>any, deny as the last rule instead of the default-allow rule that we add today. One implication of this change is that, ip-fabric (or any other provider network in future) cannot be connected to a logical router.
3. For any network that is using a provider network, we will add an ACL rule before the default-allow rule to deny traffic between that network and the provider network: E.g. local<> ip-fabric, deny.
4. When a link is being added between two networks to set a provider-network, we will add check in api server to make sure that exactly one of those networks has provider-network to True.