On Tue, Nov 27, 2007 at 03:21:14PM +0100, Rafał Kupka wrote:
> On Sun, Nov 25, 2007 at 07:50:23AM +0000, Andy Smith wrote:
> > I see your point. I hadn't thought of that problem before. I have
> > done some preliminary testing with ebtables and the following seems
> > to work:
> > ebtables -t nat -A PREROUTING -i some-vif -s ! aa:00:00:6a:38:0c
> > --log-level debug --log-prefix 'SPOOF:' -j DROP
> > Can you still find a way to break it after using this method?
> You can still impersonate other domUs IP addresses. Rooted domUs may
> send spoofed arp replies with MAC address that belong to them.
Yes I already addressed that in my earlier reply in this thread.
The previous one was specifically about spoofing MAC address, which
I had not considered until Stefan brought it up.
Description: Digital signature
Xen-users mailing list