On Tue, Apr 27, 2010 at 6:33 PM, Todd Deshane <desha...@gmail.com> wrote:
> On Tue, Apr 27, 2010 at 9:20 PM, Jesse Gross <je...@nicira.com> wrote: > > On Tue, Apr 27, 2010 at 7:37 AM, George Shuklin <n...@narod.ru> wrote: > >> > >> Good day. > >> > >> Is any way to filter with ovs VM's traffic (like mac spoofing or ip > >> usurpation)? > >> > >> I was tried to find any, but found none. > > > > There isn't currently a specific MAC/IP anti-spoofing feature. You can, > > however, add flow entries that allows traffic from a given port, MAC, and > IP > > and drops everything else. The ovs-ofctl man page describes how to add > > flows. > > An explicit feature isn't really necessary though given those three right? > This covers most of the problem. The one weakness is with ARP, which contains MAC addresses inside the payload that it is not currently possible to match on. We are considering an explicit feature to deal with this issue but it hasn't been implemented yet. > An attacker with root on a VM can fake a MAC and IP, but they can't > plug the VM into a different vswitch port... > > I guess a database feature could be added that makes it so the three > must be bound in order for flows not to get dropped. But I guess that > would be more important with migration of VMs and then it gets into > a more sophisticated controller like NOX probably right? Right, in general we prefer make the controller deal with this type of issue where possible.
_______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss_openvswitch.org
