Next steps with new review server

Jeremy Stanley fungi at yuggoth.org
Thu Apr 8 19:48:35 UTC 2021


On 2021-04-08 15:43:33 +1000 (+1000), Ian Wienand wrote:
> On Thu, Apr 01, 2021 at 02:35:32PM -0700, Clark Boylan wrote:
> > I ended up double checking the mirror node and in
> > mirror.ca-ymq-1.vexxhost.opendev.org:/etc/netplan/50-cloud-init.yaml
> > you can see what we did there. Essentially we set dhcpv6 and
> > accept-ra to false then set an address and routes. We should be able
> > to do the same thing with the new review host if we can't figure
> > anything else out.
> 
> > [3] https://launchpad.net/bugs/1844712
> 
> So we have a work around in production but also [3] being marked as an
> open security bug.
> 
> Are we happy enough ignoring RA's is sufficient to overcome the issues
> discussed in [3] for this service?  The concern mostly seemed to be a
> targeted MITM attack; something which ssh host keys and SSL
> certificates should cover?

Yes, I think ignoring RAs is probably sufficient. Nobody seems to
have yet figured out how the leak happens or what else could be
leaked, but as you note the fact that a MitM couldn't usefully
spoof a viable HTTPS or SSH connection endpoint is sufficient
insurance against anything worse, so we can just focus on mitigating
the stability problem arising from stray leaks for now.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.opendev.org/pipermail/service-discuss/attachments/20210408/fd3cd6d3/attachment.sig>


More information about the service-discuss mailing list