[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] [SECURITY] preventing Hwaddr spoofing on bridge

  • To: xen-users@xxxxxxxxxxxxxxxxxxx
  • From: Andy Smith <andy@xxxxxxxxxxxxxx>
  • Date: Wed, 28 Nov 2007 12:40:47 +0000
  • Delivery-date: Wed, 28 Nov 2007 04:41:38 -0800
  • List-id: Xen user discussion <xen-users.lists.xensource.com>
  • Openpgp: id=BF15490B; url=http://strugglers.net/~andy/pubkey.asc


On Tue, Nov 27, 2007 at 03:21:14PM +0100, RafaÅ Kupka wrote:
> On Sun, Nov 25, 2007 at 07:50:23AM +0000, Andy Smith wrote:
> > I see your point.  I hadn't thought of that problem before.  I have
> > done some preliminary testing with ebtables and the following seems
> > to work:
> > 
> > ebtables -t nat -A PREROUTING -i some-vif -s ! aa:00:00:6a:38:0c 
> > --log-level debug --log-prefix 'SPOOF:' -j DROP
> > 
> > Can you still find a way to break it after using this method?
> You can still impersonate other domUs IP addresses. Rooted domUs may
> send spoofed arp replies with MAC address that belong to them.

Yes I already addressed that in my earlier reply in this thread.
The previous one was specifically about spoofing MAC address, which
I had not considered until Stefan brought it up.


Attachment: signature.asc
Description: Digital signature

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.