[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] [SECURITY] preventing Hwaddr spoofing on bridge

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Igor Chubin schreef:
> On Fri, Nov 23, 2007 at 04:02:46AM +0100, Stefan de Konink wrote:
> Is there a way to prevent hwaddr/mac address spoofing between DomU's?
> 
> 
> So in a way 'binding' a mac-address on boot time with a virtual
> interface? (with something like ebtables/arptables/etc?)
> 
> 
>> As far as I understand, 
>> you can solve your task with ebtables you have mentioned.
> 
> 
>> Why do you refuse to use it?

I don't refuse to use it... I can break out of it with my current
configuration.


Could you post a rule set that binds an VIF to the known Xen MAC behind it?



Andy Smith schreef:
> On Fri, Nov 23, 2007 at 04:02:46AM +0100, Stefan de Konink wrote:
>> Is there a way to prevent hwaddr/mac address spoofing between DomU's?
>
> I use ebtables alone to do this.  I have the list of MAC addresses
> and IP addresses for each domU in a database, and from that I build
> an ebtables ruleset.  ARP replies from a MAC that does not
> correspond with its assigned IPs are dropped and logged.


It is *not* the IP addy that borks. It is a duplicate mac address in the
bridge. So I 'virtually' take over a MAC address belonging to someone
else on the bridge. Binding an IP address to a MAC address is too simple.


Full example:
Host 1 has mac


Host 2 knows about mac Host 1
Host 2 brings his interface down
Host 2 changes his mac to the mac of host 1
Host 2 brings his interface up. [breaks traffic to Host 1]

Now imagine Host 2 knows about all the macaddresses on the bridge and
does this in a loop...



Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHSNBNYH1+F2Rqwn0RCnfBAKCFMdugDMDloHF3szzZ2duK6lvbowCfcd+N
IO80TF1ua6pOn/diJ/atacw=
=tTO0
-----END PGP SIGNATURE-----

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.