[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] [SECURITY] preventing Hwaddr spoofing on bridge

Hash: SHA512

Hi Andy,

Andy Smith schreef:
> On Sun, Nov 25, 2007 at 02:30:54AM +0100, Stefan de Konink wrote:
>> Andy Smith schreef:
>>> On Fri, Nov 23, 2007 at 04:02:46AM +0100, Stefan de Konink wrote:
>>>> Is there a way to prevent hwaddr/mac address spoofing between DomU's?
>>> I use ebtables alone to do this.  I have the list of MAC addresses
>>> and IP addresses for each domU in a database, and from that I build
>>> an ebtables ruleset.  ARP replies from a MAC that does not
>>> correspond with its assigned IPs are dropped and logged.
>> It is *not* the IP addy that borks. It is a duplicate mac address in the
>> bridge. So I 'virtually' take over a MAC address belonging to someone
>> else on the bridge. Binding an IP address to a MAC address is too simple.
> I hard code all MAC addresses in the domain config file and when I
> last tested any attempt to change the vif's MAC address after that
> results in no connectivity.  Is it still possible?

Just do a xm console host2, then your host2 will be connected...
(basically simulates a 'script' running)

> If so I don't imagine it will be hard to tie MAC address to
> interfaces with ebtables.

I wonder *where* the bridge gets noticed about 'some interface has this
new hwaddr now'. I need to know which ruleset (FORWARD, INPUT, BROUTER,
OUTPUT, PREROUTING, etc.) I should limit for I *guess* an ARP packet.

Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.