This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] [SECURITY] preventing Hwaddr spoofing on bridge

To: Andy Smith <andy@xxxxxxxxxxxxxx>
Subject: Re: [Xen-users] [SECURITY] preventing Hwaddr spoofing on bridge
From: Stefan de Konink <skinkie@xxxxxxxxx>
Date: Sun, 25 Nov 2007 02:53:04 +0100
Cc: Igor Chubin <igor@xxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Sat, 24 Nov 2007 17:53:55 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <20071125014825.GA3347@xxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <474642D6.9060905@xxxxxxxxx> <20071124151225.GA18701@xxxxxxx> <4748D04E.9090802@xxxxxxxxx> <20071125014825.GA3347@xxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird (X11/20070911)
Hash: SHA512

Hi Andy,

Andy Smith schreef:
> On Sun, Nov 25, 2007 at 02:30:54AM +0100, Stefan de Konink wrote:
>> Andy Smith schreef:
>>> On Fri, Nov 23, 2007 at 04:02:46AM +0100, Stefan de Konink wrote:
>>>> Is there a way to prevent hwaddr/mac address spoofing between DomU's?
>>> I use ebtables alone to do this.  I have the list of MAC addresses
>>> and IP addresses for each domU in a database, and from that I build
>>> an ebtables ruleset.  ARP replies from a MAC that does not
>>> correspond with its assigned IPs are dropped and logged.
>> It is *not* the IP addy that borks. It is a duplicate mac address in the
>> bridge. So I 'virtually' take over a MAC address belonging to someone
>> else on the bridge. Binding an IP address to a MAC address is too simple.
> I hard code all MAC addresses in the domain config file and when I
> last tested any attempt to change the vif's MAC address after that
> results in no connectivity.  Is it still possible?

Just do a xm console host2, then your host2 will be connected...
(basically simulates a 'script' running)

> If so I don't imagine it will be hard to tie MAC address to
> interfaces with ebtables.

I wonder *where* the bridge gets noticed about 'some interface has this
new hwaddr now'. I need to know which ruleset (FORWARD, INPUT, BROUTER,
OUTPUT, PREROUTING, etc.) I should limit for I *guess* an ARP packet.

Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Xen-users mailing list