[one-users] ip spoofing
Maxim Terletskiy
terletskiy at emu.ru
Thu May 1 03:17:15 PDT 2014
As you wrote this is exactly we were looking for. Thank you very much,
Stefan! :)
01.05.2014 12:39, Stefan Kooman пишет:
> Quoting Maxim Terletskiy (terletskiy at emu.ru):
>> Hi!
>>
>> No we're using vlans with simple bridging. I've used ovswitch in
>> past and do not remember anything about "ip hijacking" prevention in
>> it. How can ovswitch know what ip/mac must be on vm interface? Will
>> it be usefull if VMs living on different virtualization hosts?
> "openvswitch" by itself doesn't do anything to prevent "mac spoofing" or
> "ip hijacking". That's done by ONE based on OpenFlow rules. From the
> docs [1]:
>
> Mac-spoofing
>
> These rules prevent any traffic to come out of the port the MAC address
> has changed.
>
> in_port=<PORT>,dl_src=<MAC>,priority=40000,actions=normal
> in_port=<PORT>,priority=39000,actions=normal
>
> IP hijacking
>
> These rules prevent any traffic to come out of the port for IPv4 IP’s
> not configured for a VM
>
> in_port=<PORT>,arp,dl_src=<MAC>priority=45000,actions=drop
> in_port=<PORT>,arp,dl_src=<MAC>,nw_src=<IP>,priority=46000,actions=normal
>
> See /var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb as well.
>
> Using openvswitch gives you exactly what you asked for, without the need
> for hacking ebtables/iptables script. In a much cleaner way IMHO.
>
> Gr. Stefan
>
More information about the Users
mailing list