[ovs-discuss] filtering macs/ip

Jesse Gross jesse at nicira.com
Thu Apr 29 18:16:53 UTC 2010

On Tue, Apr 27, 2010 at 6:33 PM, Todd Deshane <deshantm at gmail.com> wrote:

> On Tue, Apr 27, 2010 at 9:20 PM, Jesse Gross <jesse at nicira.com> wrote:
> > On Tue, Apr 27, 2010 at 7:37 AM, George Shuklin <nge at narod.ru> wrote:
> >>
> >> Good day.
> >>
> >> Is any way to filter with ovs VM's traffic (like mac spoofing or ip
> >> usurpation)?
> >>
> >> I was tried to find any, but found none.
> >
> > There isn't currently a specific MAC/IP anti-spoofing feature.  You can,
> > however, add flow entries that allows traffic from a given port, MAC, and
> IP
> > and drops everything else.  The ovs-ofctl man page describes how to add
> > flows.
> An explicit feature isn't really necessary though given those three right?

This covers most of the problem.  The one weakness is with ARP, which
contains MAC addresses inside the payload that it is not currently possible
to match on.  We are considering an explicit feature to deal with this issue
but it hasn't been implemented yet.

> An attacker with root on a VM can fake a MAC and IP, but they can't
> plug the VM into a different vswitch port...
> I guess a database feature could be added that makes it so the three
> must be bound in order for flows not to get dropped. But I guess that
> would be more important with migration of VMs and then it gets into
> a more sophisticated controller like NOX probably right?

Right, in general we prefer make the controller deal with this type of issue
where possible.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20100429/453e67c2/attachment-0001.html>

More information about the discuss mailing list