OpenNebulaProject
commented
6 years ago Original Redmine Comment Author Name: Ruben S. Montero (@rsmontero) Original Date: 2014-09-29T17:35:00Z
Thanks for the heads up :)
Closed OpenNebulaProject closed 6 years ago
OpenNebulaProject
commented
6 years ago Original Redmine Comment Author Name: Ruben S. Montero (@rsmontero) Original Date: 2014-09-29T17:35:00Z
Thanks for the heads up :)
OpenNebulaProject
commented
6 years ago Original Redmine Comment Author Name: Ruben S. Montero (@rsmontero) Original Date: 2014-10-24T11:40:11Z
Finally, this won't make it for 4.10. I'm moving it to backlog with high priority for the next one.
vholer
commented
6 years ago I believe we have covered IPv6 spoofing in #1126 OvS filters refactoring. Closing.
Author Name: Stefan Kooman (Stefan Kooman) Original Redmine Issue: 3181, https://dev.opennebula.org/issues/3181 Original Date: 2014-09-04 Original Assignee: Jaime Melis
Currently there is ARP cache poisoning protection and MAC spoofing protection. The same trick should be possible for IPv6 addresses. Currently they are not protected from hijacking. This could be done with the following rules (vnm/ovswitch/OpenvSwitch.rb):
def ipv6_hijack_prevention add_flow("in_port=#{port},ipv6,ipv6_src=#{@nic[:ip6]}",:normal,47000) end
Note that if you want to user both arp_cache_poisoning, mac_spoofing and ipv6_hijack_prevention (dual stack network) you need different rules for "arp_cache_poisoning" and "mac_spoofing":
def arp_cache_poisoning add_flow("in_port=#{port},arp,dl_src=#{@nic[:mac]},nw_src=#{@nic[:ip]}",:normal,45000) add_flow("in_port=#{port},ip,dl_src=#{@nic[:mac]},nw_src=#{@nic[:ip]}",:normal,46000) end
def mac_spoofing add_flow("in_port=#{port}",:drop,39000) end
This rule "add_flow("in_port=#{port},dl_src=#{@nic[:mac]}",:normal,40000)" creates a too permissive policy for the "ipv6_hijack_prevention" to work (transparent for IPv6), at least according to my tests. These rules are not compatible with each other. I.e. You can't have mac_spoofing and arp_cache_poisoning/ipv6_hijack_prevention at the same time if not all ip(6)'s are administered by ONE. IPv6 (ip6) is currently not available in "vnm" script directories. IPv6 support needs to be added here as well to have this work in the first place. According to # 2318 "ARP cache poisoning" wasn't ment to be a "global switch" enabled by default. But now it is, and in at least in our setups it's impossible to turn it on globally for either arp_cache_poisoning and ipv6_hijack_prevention. IMHO these extra network security features should be made part of a template. With the possibility to have a "default on", either by means of enabling it in "one/vmm_exec/vmm_exec_kvm.conf" or the global switch(es) "remotes/vnm/OpenNebulaNetwork.conf" and by making it a "Restricted attribute". You should be able to override it (diable it), but only as (one)admin.