| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
Re: [Xen-users] [SECURITY] preventing Hwaddr spoofing on bridge
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi Andy,
Andy Smith schreef:
> On Sun, Nov 25, 2007 at 02:30:54AM +0100, Stefan de Konink wrote:
>> Andy Smith schreef:
>>> On Fri, Nov 23, 2007 at 04:02:46AM +0100, Stefan de Konink wrote:
>>>> Is there a way to prevent hwaddr/mac address spoofing between DomU's?
>>> I use ebtables alone to do this. I have the list of MAC addresses
>>> and IP addresses for each domU in a database, and from that I build
>>> an ebtables ruleset. ARP replies from a MAC that does not
>>> correspond with its assigned IPs are dropped and logged.
>>
>> It is *not* the IP addy that borks. It is a duplicate mac address in the
>> bridge. So I 'virtually' take over a MAC address belonging to someone
>> else on the bridge. Binding an IP address to a MAC address is too simple.
>
> I hard code all MAC addresses in the domain config file and when I
> last tested any attempt to change the vif's MAC address after that
> results in no connectivity. Is it still possible?
Just do a xm console host2, then your host2 will be connected...
(basically simulates a 'script' running)
> If so I don't imagine it will be hard to tie MAC address to
> interfaces with ebtables.
I wonder *where* the bridge gets noticed about 'some interface has this
new hwaddr now'. I need to know which ruleset (FORWARD, INPUT, BROUTER,
OUTPUT, PREROUTING, etc.) I should limit for I *guess* an ARP packet.
Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHSNWAYH1+F2Rqwn0RCoFuAKCN90ALE8HN4dLEmHzR+k4tZKgh3gCeNhqi
xgbVAto/YjrpDN4P0T8fDfo=
=fWMW
-----END PGP SIGNATURE-----
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
| |
|
Home