[openstack-dev] [neutron] Prevent ARP spoofing

Claudiu Belu cbelu at cloudbasesolutions.com
Tue Mar 13 12:10:52 UTC 2018


Indeed ARP spoofing is prevented by default, but AFAIK, if you want it enabled for a port / network, you can simply disable the security groups on that neutron network / port.

Best regards,

Claudiu Belu

From: Татьяна Холкина [holkina at selectel.ru]
Sent: Tuesday, March 13, 2018 12:54 PM
To: openstack-dev at lists.openstack.org
Subject: [openstack-dev] [neutron] Prevent ARP spoofing

I'm using an ocata release of OpenStack where the option prevent_arp_spoofing can be managed via conf. But later in pike it was removed and it was decided to prevent spoofing by default.
There are cases where security features should be disabled. As I can see now we can use a port_security option for these cases. But this option should be set for a particular port or network on create. The default value is set to True [1] and itt is impossible to change it. I'd like to suggest to get default value for port_security [2] from config option.
It would be nice to know your opinion.

[1] https://github.com/openstack/neutron-lib/blob/stable/queens/neutron_lib/api/definitions/port_security.py#L21
[2] https://github.com/openstack/neutron/blob/stable/queens/neutron/objects/extensions/port_security.py#L24

Best regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180313/e3db23b6/attachment.html>

More information about the OpenStack-dev mailing list