[ovs-discuss] filtering macs/ip

Todd Deshane deshantm at gmail.com
Wed Apr 28 01:33:29 UTC 2010

On Tue, Apr 27, 2010 at 9:20 PM, Jesse Gross <jesse at nicira.com> wrote:
> On Tue, Apr 27, 2010 at 7:37 AM, George Shuklin <nge at narod.ru> wrote:
>> Good day.
>> Is any way to filter with ovs VM's traffic (like mac spoofing or ip
>> usurpation)?
>> I was tried to find any, but found none.
> There isn't currently a specific MAC/IP anti-spoofing feature.  You can,
> however, add flow entries that allows traffic from a given port, MAC, and IP
> and drops everything else.  The ovs-ofctl man page describes how to add
> flows.

An explicit feature isn't really necessary though given those three right?

An attacker with root on a VM can fake a MAC and IP, but they can't
plug the VM into a different vswitch port...

I guess a database feature could be added that makes it so the three
must be bound in order for flows not to get dropped. But I guess that
would be more important with migration of VMs and then it gets into
a more sophisticated controller like NOX probably right?


More information about the discuss mailing list