[one-users] ip spoofing
Stefan Kooman
stefan at bit.nl
Thu May 1 01:39:41 PDT 2014
Quoting Maxim Terletskiy (terletskiy at emu.ru):
> Hi!
>
> No we're using vlans with simple bridging. I've used ovswitch in
> past and do not remember anything about "ip hijacking" prevention in
> it. How can ovswitch know what ip/mac must be on vm interface? Will
> it be usefull if VMs living on different virtualization hosts?
"openvswitch" by itself doesn't do anything to prevent "mac spoofing" or
"ip hijacking". That's done by ONE based on OpenFlow rules. From the
docs [1]:
Mac-spoofing
These rules prevent any traffic to come out of the port the MAC address
has changed.
in_port=<PORT>,dl_src=<MAC>,priority=40000,actions=normal
in_port=<PORT>,priority=39000,actions=normal
IP hijacking
These rules prevent any traffic to come out of the port for IPv4 IP’s
not configured for a VM
in_port=<PORT>,arp,dl_src=<MAC>priority=45000,actions=drop
in_port=<PORT>,arp,dl_src=<MAC>,nw_src=<IP>,priority=46000,actions=normal
See /var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb as well.
Using openvswitch gives you exactly what you asked for, without the need
for hacking ebtables/iptables script. In a much cleaner way IMHO.
Gr. Stefan
--
| BIT BV http://www.bit.nl/ Kamer van Koophandel 09090351
| GPG: 0xD14839C6 +31 318 648 688 / info at bit.nl
More information about the Users
mailing list