On Thu, Jul 26, 2012 at 11:38 AM, Oliver Francke <oliver.fran...@filoo.de> wrote: > I think this explains it: > > http://www.thegeekstuff.com/2012/01/arp-cache-poisoning/ > > the packet I'm talking about is the faked arp-reply. Coming from the > attacking VM, telling: > My MAC is <correct>, the IP ( faked) is my IP. Please hand over the packets > to me, it's OK.
Yes, the flow that I gave you will prevent this. I guarantee that OVS can do it because many other people have done it the way that I suggested. I think you believe that there are two IP source fields in an ARP packet the way that there are two Ethernet source addresses. There are not as an ARP packet is an Ethernet packet but not an IP packet. > Well, you name it ;) > I would love to inspect the packet, cause I know the offset, where wrong > IP-address resides. > Other then that there are things like arpwatch, make static entries… but if > OVS is able to do it as an intelligent switch, it'll be great. OVS can match on all protocol fields in an ARP packet: Ethernet source MAC: dl_src Ethernet dest MAC: dl_dst ARP source protocol address: nw_src ARP source hardware address: arp_sha ARP target protocol address: nw_dst ARP target hardware address: arp_tha _______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
