Well, Am 26.07.2012 um 21:01 schrieb Jesse Gross <je...@nicira.com>:
> On Thu, Jul 26, 2012 at 11:38 AM, Oliver Francke > <oliver.fran...@filoo.de> wrote: >> I think this explains it: >> >> http://www.thegeekstuff.com/2012/01/arp-cache-poisoning/ >> >> the packet I'm talking about is the faked arp-reply. Coming from the >> attacking VM, telling: >> My MAC is <correct>, the IP ( faked) is my IP. Please hand over the packets >> to me, it's OK. > > Yes, the flow that I gave you will prevent this. I guarantee that OVS > can do it because many other people have done it the way that I > suggested. > > I think you believe that there are two IP source fields in an ARP > packet the way that there are two Ethernet source addresses. There > are not as an ARP packet is an Ethernet packet but not an IP packet. > I have no wireshark right now on my computer to better visualize, but here is the tcpdump -vv -r from a captured session: 17:03:10.406001 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.30 is-at 00:f1:70:00:38:b0 (oui Unknown), length 28 17:03:10.406078 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.1 is-at 00:f1:70:00:38:b0 (oui Unknown), length 28 17:03:11.416744 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.30 is-at 00:f1:70:00:38:b0 (oui Unknown), length 28 17:03:11.416847 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.1 is-at 00:f1:70:00:38:b0 (oui Unknown), length 28 there are no two IP source fields of course, but I'm talking about faking the payload. The evil VM is telling everybody, that - having the IP 192.168.1.32 - even the other IP .30 and the gateway .1 is on it's MAC. In the _header_ if have correct source-MAC and correct source-IP. Oliver. >> Well, you name it ;) >> I would love to inspect the packet, cause I know the offset, where wrong >> IP-address resides. >> Other then that there are things like arpwatch, make static entries… but if >> OVS is able to do it as an intelligent switch, it'll be great. > > OVS can match on all protocol fields in an ARP packet: > Ethernet source MAC: dl_src > Ethernet dest MAC: dl_dst > ARP source protocol address: nw_src > ARP source hardware address: arp_sha > ARP target protocol address: nw_dst > ARP target hardware address: arp_tha > _______________________________________________ > discuss mailing list > discuss@openvswitch.org > http://openvswitch.org/mailman/listinfo/discuss _______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
