|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] [SECURITY] preventing Hwaddr spoofing on bridge
Hi Stefan, On Sun, Nov 25, 2007 at 02:30:54AM +0100, Stefan de Konink wrote: > Andy Smith schreef: > > On Fri, Nov 23, 2007 at 04:02:46AM +0100, Stefan de Konink wrote: > >> Is there a way to prevent hwaddr/mac address spoofing between DomU's? > > > > I use ebtables alone to do this. I have the list of MAC addresses > > and IP addresses for each domU in a database, and from that I build > > an ebtables ruleset. ARP replies from a MAC that does not > > correspond with its assigned IPs are dropped and logged. > > > It is *not* the IP addy that borks. It is a duplicate mac address in the > bridge. So I 'virtually' take over a MAC address belonging to someone > else on the bridge. Binding an IP address to a MAC address is too simple. I hard code all MAC addresses in the domain config file and when I last tested any attempt to change the vif's MAC address after that results in no connectivity. Is it still possible? If so I don't imagine it will be hard to tie MAC address to interfaces with ebtables. Cheers, Andy Attachment:
signature.asc _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |