WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] [SECURITY] preventing Hwaddr spoofing on bridge

from [Stefan de Konink] [Permanent Link][Original]
To: Igor Chubin <igor@xxxxxxx>, andy@xxxxxxxxxxxxxx
Subject: Re: [Xen-users] [SECURITY] preventing Hwaddr spoofing on bridge
From: Stefan de Konink <skinkie@xxxxxxxxx>
Date: Sun, 25 Nov 2007 02:30:54 +0100
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Sat, 24 Nov 2007 17:31:41 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <20071124151225.GA18701@xxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <474642D6.9060905@xxxxxxxxx> <20071124151225.GA18701@xxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.6 (X11/20070911) 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Igor Chubin schreef:
> On Fri, Nov 23, 2007 at 04:02:46AM +0100, Stefan de Konink wrote:
> Is there a way to prevent hwaddr/mac address spoofing between DomU's?
> 
> 
> So in a way 'binding' a mac-address on boot time with a virtual
> interface? (with something like ebtables/arptables/etc?)
> 
> 
>> As far as I understand, 
>> you can solve your task with ebtables you have mentioned.
> 
> 
>> Why do you refuse to use it?

I don't refuse to use it... I can break out of it with my current
configuration.


Could you post a rule set that binds an VIF to the known Xen MAC behind it?



Andy Smith schreef:
> On Fri, Nov 23, 2007 at 04:02:46AM +0100, Stefan de Konink wrote:
>> Is there a way to prevent hwaddr/mac address spoofing between DomU's?
>
> I use ebtables alone to do this.  I have the list of MAC addresses
> and IP addresses for each domU in a database, and from that I build
> an ebtables ruleset.  ARP replies from a MAC that does not
> correspond with its assigned IPs are dropped and logged.


It is *not* the IP addy that borks. It is a duplicate mac address in the
bridge. So I 'virtually' take over a MAC address belonging to someone
else on the bridge. Binding an IP address to a MAC address is too simple.


Full example:
Host 1 has mac


Host 2 knows about mac Host 1
Host 2 brings his interface down
Host 2 changes his mac to the mac of host 1
Host 2 brings his interface up. [breaks traffic to Host 1]

Now imagine Host 2 knows about all the macaddresses on the bridge and
does this in a loop...



Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHSNBNYH1+F2Rqwn0RCnfBAKCFMdugDMDloHF3szzZ2duK6lvbowCfcd+N
IO80TF1ua6pOn/diJ/atacw=
=tTO0
-----END PGP SIGNATURE-----

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] monitoring with MRTG, Andy Smith
Next by Date:  RE: [Xen-users] monitoring with MRTG, James Harper
Previous by Thread:  Re: [Xen-users] [SECURITY] preventing Hwaddr spoofing on bridge, Igor Chubin
Next by Thread:  Re: [Xen-users] [SECURITY] preventing Hwaddr spoofing on bridge, Andy Smith
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy