[ovs-discuss] filtering macs/ip
Todd Deshane
deshantm at gmail.com
Wed Apr 28 01:33:29 UTC 2010
On Tue, Apr 27, 2010 at 9:20 PM, Jesse Gross <jesse at nicira.com> wrote:
> On Tue, Apr 27, 2010 at 7:37 AM, George Shuklin <nge at narod.ru> wrote:
>>
>> Good day.
>>
>> Is any way to filter with ovs VM's traffic (like mac spoofing or ip
>> usurpation)?
>>
>> I was tried to find any, but found none.
>
> There isn't currently a specific MAC/IP anti-spoofing feature. You can,
> however, add flow entries that allows traffic from a given port, MAC, and IP
> and drops everything else. The ovs-ofctl man page describes how to add
> flows.
An explicit feature isn't really necessary though given those three right?
An attacker with root on a VM can fake a MAC and IP, but they can't
plug the VM into a different vswitch port...
I guess a database feature could be added that makes it so the three
must be bound in order for flows not to get dropped. But I guess that
would be more important with migration of VMs and then it gets into
a more sophisticated controller like NOX probably right?
Todd
More information about the discuss
mailing list