[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] [SECURITY] preventing Hwaddr spoofing on bridge

Hi Stefan,

On Sun, Nov 25, 2007 at 02:30:54AM +0100, Stefan de Konink wrote:
> Andy Smith schreef:
> > On Fri, Nov 23, 2007 at 04:02:46AM +0100, Stefan de Konink wrote:
> >> Is there a way to prevent hwaddr/mac address spoofing between DomU's?
> >
> > I use ebtables alone to do this.  I have the list of MAC addresses
> > and IP addresses for each domU in a database, and from that I build
> > an ebtables ruleset.  ARP replies from a MAC that does not
> > correspond with its assigned IPs are dropped and logged.
> It is *not* the IP addy that borks. It is a duplicate mac address in the
> bridge. So I 'virtually' take over a MAC address belonging to someone
> else on the bridge. Binding an IP address to a MAC address is too simple.

I hard code all MAC addresses in the domain config file and when I
last tested any attempt to change the vif's MAC address after that
results in no connectivity.  Is it still possible?

If so I don't imagine it will be hard to tie MAC address to
interfaces with ebtables.


Attachment: signature.asc
Description: Digital signature

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.