[Bug 2053113] Please test proposed package

[James Page]

Hello Frode, or anyone else affected,

Accepted ovn into zed-proposed. The package will build now and be
available in the Ubuntu Cloud Archive in a few hours, and then in the
-proposed repository.

Please help us by testing this new package. To enable the -proposed
repository:

  sudo add-apt-repository cloud-archive:zed-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-zed-needed to verification-zed-done. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-zed-failed. In either case, details of your testing
will help us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance!

** Changed in: cloud-archive/zed
       Status: Triaged => Fix Committed

** Tags added: verification-zed-needed

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/2053113

Title:
  Insufficient validation of incoming BFD packets.

Status in Ubuntu Cloud Archive:
  Invalid
Status in Ubuntu Cloud Archive antelope series:
  Fix Committed
Status in Ubuntu Cloud Archive zed series:
  Fix Committed
Status in ovn package in Ubuntu:
  Fix Released

Bug description:
  As part of implementing an overlay network, OVN configures tunnel
  ports in Open vSwitch (OVS). To monitor the health of the tunnel and
  remote hypervisor the OVS Bidirectional Forwarding Detection (BFD)
  functionality is enabled by setting `enable` to 'true' in the `bfd`
  column.

  In addition to monitoring the health of the tunnel, the tunnel BFD
  status is used to make forwarding decisions that may impact multiple
  nodes and users of a cluster.

  The BFD packets are transmitted in-band in the tunnel, along with
  other traffic, and in its default configuration, OVS will consider any
  BFD packet with TTL 255 received on the tunnel as originating from the
  privileged peer on the other side of the tunnel.

  Traffic from unprivileged users connected to a VIF are also
  transmitted in these tunnels, and it is trivial for a end user of a
  system using OVS/OVN to transmit BFD packets from a container or
  virtual machine that will be tunneled through the system with TTL 255.

  Fortunately, traffic originating from or destined to a VIF is labeled
  with a VNI aka. tunnel key. There exists an OVS BFD option called
  `check_tnl_key`, which makes OVS only consider BFD packets that have a
  tunnel key of zero.

  Setting the `check_tnl_key` option to 'true' mitigates the issue,
  because the OVN pipeline design ensures only the OVS generated BFD
  packets would have a tunnel key of zero.

  The options on the tunnel ports are however managed by OVN, and any
  attempt of manually setting them will immediately be reverted,
  consequently this becomes a security issue in OVN.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/2053113/+subscriptions