Comment 47 for bug 1274034

I completely agree with Geroge on this. You have a use case when neutron fails to correctly isolate on multi-tenants networks. This "incomplete feature" set was never called in documentation as a possible trade off. So if nothing you have an known issue that causes neutron not provide appropriate isolation under specific configurations, in a trivially to reproduce manner. This would lead to things that would be at a minimum considered bugs and most likely vulnerabilities.

Without a patch this "incomplete feature" allows trivial man in the middle attacks, taking vm's offline of any tenant at will, taking over the metadata id, from there one could easily change/spoof peoples metadata including changing it to add credentials/users for other tenants vm's. This could also lead to someone breaking vm provisioning (metadata/userdata) scripts for other tenants. One could also trivially takeover the gateway for flat networked tenants allowing a vm to see all the routed traffic on that network. If one also managed to spin up a vm on the shared public network that peoples "correctly isolated" private l2 routers attach to one could also takeover traffic/floating ip destined to routers that neutron should be handling. I have seen on the mailing list people wanting to support both private and shared networks so this is a completely plausible configuration.

Re: comment #9. Comment #8 specifically talks about back porting this change to latest stable --- which would be kilo/juno - no? and previous comments dealt more about handling this issue in the open as opposed to behind closed doors (IE only the security team and people involved in the fix can see the bug). Kevin Bentons patch only works on OVS. Last time I checked ml2 supported more than just OVS. Where this patch fixes it no mater the switch technology being used.