[one-users] ip spoofing

Stefan Kooman stefan at bit.nl
Thu May 1 01:39:41 PDT 2014


Quoting Maxim Terletskiy (terletskiy at emu.ru):
> Hi!
> 
> No we're using vlans with simple bridging. I've used ovswitch in
> past and do not remember anything about "ip hijacking" prevention in
> it. How can ovswitch know what ip/mac must be on vm interface? Will
> it be usefull if VMs living on different virtualization hosts?

"openvswitch" by itself doesn't do anything to prevent "mac spoofing" or
"ip hijacking". That's done by ONE based on OpenFlow rules. From the
docs [1]:

Mac-spoofing

These rules prevent any traffic to come out of the port the MAC address
has changed.

in_port=<PORT>,dl_src=<MAC>,priority=40000,actions=normal
in_port=<PORT>,priority=39000,actions=normal

IP hijacking

These rules prevent any traffic to come out of the port for IPv4 IP’s
not configured for a VM

in_port=<PORT>,arp,dl_src=<MAC>priority=45000,actions=drop
in_port=<PORT>,arp,dl_src=<MAC>,nw_src=<IP>,priority=46000,actions=normal

See /var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb as well.

Using openvswitch gives you exactly what you asked for, without the need
for hacking ebtables/iptables script. In a much cleaner way IMHO.

Gr. Stefan

-- 
| BIT BV  http://www.bit.nl/        Kamer van Koophandel 09090351
| GPG: 0xD14839C6                   +31 318 648 688 / info at bit.nl



More information about the Users mailing list