Re: Routing for Isolation Segments
Hi Shannon,toggle quoted messageShow quoted text
Thanks for the feedback solicitation on this feature, and for sharing the
inception summary material with the community.
In the case of Orange, the partitioned routing table is a must for running
IS in production. The Access control would be useful as to enhance the user
experience in the CLI, and reduce troubleshooting burden to CF operators,
but wouldn't account to the security ratings evaluated for onboarding
sensitive apps in CF. We see it important as well but of lower priority
than partitioned routing table.
One use case we have for IS is to have an IS for production internet facing
application, and one IS for intranet facing application.The partitioned
routing table protects intranet facing applications being exposed on the
internet in case of a faulty load balancer configuration.
I added also some misc comments to the inception summary slides.
Besides, I did not see mention in the summary material of the access
control to NATS or routing API per isolation segment, as to account for the
discussed compromise scenario  below. This is likely to be a must for
our organization to be able to leverage isolation segments: CVE-2016-6655
 makes some people in our organization judge that such vulnerabilities
make the compromise scenario below realistic and too risky for some of our
applications that would have liked to benefit a CF instance leveraging IS.
Compromise scenario: the compromise of an IS1 could allow an attacker to
compromise another IS2 through the shared control plane (NATS or routing
API in this case). Potentially exploitable compromise across IS could be
(in the case of the shared routing control plane) to alter another IS
routing table resulting in:
- denial of service (unregistering all routes into another IS),
- routing traffic to a malicious route service, being therefore able to
sniff all traffic from another IS.
I wonder whether there is still a 2nd phase plan to address this compromise
scenario and if so, if you could share some details.
On Wed, Jan 25, 2017 at 3:12 AM, Mike Youngstrom <youngm(a)gmail.com> wrote:
Got it, so what I said before hold. We view access control as a must and