|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] [SECURITY] preventing Hwaddr spoofing on bridge
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Andy, Andy Smith schreef: > On Sun, Nov 25, 2007 at 02:30:54AM +0100, Stefan de Konink wrote: >> Andy Smith schreef: >>> On Fri, Nov 23, 2007 at 04:02:46AM +0100, Stefan de Konink wrote: >>>> Is there a way to prevent hwaddr/mac address spoofing between DomU's? >>> I use ebtables alone to do this. I have the list of MAC addresses >>> and IP addresses for each domU in a database, and from that I build >>> an ebtables ruleset. ARP replies from a MAC that does not >>> correspond with its assigned IPs are dropped and logged. >> >> It is *not* the IP addy that borks. It is a duplicate mac address in the >> bridge. So I 'virtually' take over a MAC address belonging to someone >> else on the bridge. Binding an IP address to a MAC address is too simple. > > I hard code all MAC addresses in the domain config file and when I > last tested any attempt to change the vif's MAC address after that > results in no connectivity. Is it still possible? Just do a xm console host2, then your host2 will be connected... (basically simulates a 'script' running) > If so I don't imagine it will be hard to tie MAC address to > interfaces with ebtables. I wonder *where* the bridge gets noticed about 'some interface has this new hwaddr now'. I need to know which ruleset (FORWARD, INPUT, BROUTER, OUTPUT, PREROUTING, etc.) I should limit for I *guess* an ARP packet. Stefan -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHSNWAYH1+F2Rqwn0RCoFuAKCN90ALE8HN4dLEmHzR+k4tZKgh3gCeNhqi xgbVAto/YjrpDN4P0T8fDfo= =fWMW -----END PGP SIGNATURE----- _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |