[ovs-dev] [PATCH] Add Nicira extension to OpenFlow for dropping spoofed ARP packets.

Jesse Gross jesse at nicira.com
Thu Aug 19 21:53:20 UTC 2010


On Thu, Aug 12, 2010 at 5:04 PM, Ben Pfaff <blp at nicira.com> wrote:

> "ARP spoofing" is when a host claims an incorrect association between an
> IP address and a MAC address for deceptive purposes.  OpenFlow by itself
> can prevent a host from sending out ARP replies from an incorrect MAC
> address in the Ethernet L2 header, but it cannot control the MAC addresses
> inside the ARP L3 packet.  This commit adds a new action that can be used
> to drop these spoofed packets.
>
> CC: Paul Ingram <paul at nicira.com>
>

Need a signed-off-by line now for kernel code.


> +static bool is_spoofed_arp(struct sk_buff *skb, const struct odp_flow_key
> *key)
> +{
> +       struct arp_eth_header *arp;
> +
> +       if (key->dl_type != htons(ETH_P_ARP))
> +               return false;
> +
> +       if (skb_network_offset(skb) + sizeof(struct arp_eth_header) >
> skb->len)
> +               return false;
>

I think that invalid packets should get dropped here.  Since this is
specifically a security feature, it shouldn't be possible to bypass it with
weird packets.

This is obviously related to the runt flows set that I still need to look at
in depth but I think here the case for dropping packets is stronger because
the intent of the user is more clear.


> +
> +       arp = (struct arp_eth_header *)skb_network_header(skb);
> +       return (arp->ar_hrd == htons(ARPHRD_ETHER) &&
> +               arp->ar_pro == htons(ETH_P_IP) &&
> +               arp->ar_hln == ETH_ALEN &&
> +               arp->ar_pln == 4 &&
> +               compare_ether_addr(arp->ar_sha, eth_hdr(skb)->h_source));
> +}
>

If ARP fields claim that this isn't Ethernet or the Ethernet address length
is wrong we should definitely drop - something fishy is going on.  Likewise,
if the protocol is IP, the protocol address length better be 4.

Even with this and appropriate MAC and IP flows you can still poison
someone's ARP cache (by responding with someone else's IP).  You may not be
able to see their traffic but you can DoS them.


> +
> +               case ODPAT_DROP_SPOOFED_ARP:
> +                       if (is_spoofed_arp(skb, key))
> +                               goto exit;
> +                       break;
>

This is hopefully unlikely().


> +    case NXAST_DROP_SPOOFED_ARP:
> +        if (ctx->flow.dl_type == htons(ETH_TYPE_ARP)) {
> +            odp_actions_add(ctx->out, ODPAT_DROP_SPOOFED_ARP);
> +        }
> +        break;
>

If this is used on a datapath that doesn't support this action (i.e. the
userspace datapath) it will be silently ignored, right?  That makes me
nervous.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-dev/attachments/20100819/9d98a2e9/attachment-0003.html>


More information about the dev mailing list