This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] [SECURITY] preventing Hwaddr spoofing on bridge

To: Stefan de Konink <skinkie@xxxxxxxxx>
Subject: Re: [Xen-users] [SECURITY] preventing Hwaddr spoofing on bridge
From: Andy Smith <andy@xxxxxxxxxxxxxx>
Date: Sun, 25 Nov 2007 01:48:25 +0000
Cc: Igor Chubin <igor@xxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Sat, 24 Nov 2007 17:49:13 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <4748D04E.9090802@xxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Openpgp: id=BF15490B; url=http://strugglers.net/~andy/pubkey.asc
References: <474642D6.9060905@xxxxxxxxx> <20071124151225.GA18701@xxxxxxx> <4748D04E.9090802@xxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.13 (2006-08-11)
Hi Stefan,

On Sun, Nov 25, 2007 at 02:30:54AM +0100, Stefan de Konink wrote:
> Andy Smith schreef:
> > On Fri, Nov 23, 2007 at 04:02:46AM +0100, Stefan de Konink wrote:
> >> Is there a way to prevent hwaddr/mac address spoofing between DomU's?
> >
> > I use ebtables alone to do this.  I have the list of MAC addresses
> > and IP addresses for each domU in a database, and from that I build
> > an ebtables ruleset.  ARP replies from a MAC that does not
> > correspond with its assigned IPs are dropped and logged.
> It is *not* the IP addy that borks. It is a duplicate mac address in the
> bridge. So I 'virtually' take over a MAC address belonging to someone
> else on the bridge. Binding an IP address to a MAC address is too simple.

I hard code all MAC addresses in the domain config file and when I
last tested any attempt to change the vif's MAC address after that
results in no connectivity.  Is it still possible?

If so I don't imagine it will be hard to tie MAC address to
interfaces with ebtables.


Attachment: signature.asc
Description: Digital signature

Xen-users mailing list