[openstack-dev] [neutron] Prevent ARP spoofing

Tatiana Kholkina holkina at selectel.ru
Wed Mar 14 07:26:36 UTC 2018

Sure, there is an ability to enable ARP spoofing for the port/network, but
it is impossible to make it enabled by default for all ports.
It looks a bit complicated to me and I think it would be better to have an
ability to set default port security via config file.

Best regards,

2018-03-13 15:10 GMT+03:00 Claudiu Belu <cbelu at cloudbasesolutions.com>:

> Hi,
> Indeed ARP spoofing is prevented by default, but AFAIK, if you want it
> enabled for a port / network, you can simply disable the security groups on
> that neutron network / port.
> Best regards,
> Claudiu Belu
> ------------------------------
> *From:* Татьяна Холкина [holkina at selectel.ru]
> *Sent:* Tuesday, March 13, 2018 12:54 PM
> *To:* openstack-dev at lists.openstack.org
> *Subject:* [openstack-dev] [neutron] Prevent ARP spoofing
> Hi,
> I'm using an ocata release of OpenStack where the option
> prevent_arp_spoofing can be managed via conf. But later in pike it was
> removed and it was decided to prevent spoofing by default.
> There are cases where security features should be disabled. As I can see
> now we can use a port_security option for these cases. But this option
> should be set for a particular port or network on create. The default value
> is set to True [1] and itt is impossible to change it. I'd like to
> suggest to get default value for port_security [2] from config option.
> It would be nice to know your opinion.
> [1] https://github.com/openstack/neutron-lib/blob/
> stable/queens/neutron_lib/api/definitions/port_security.py#L21
> [2] https://github.com/openstack/neutron/blob/stable/
> queens/neutron/objects/extensions/port_security.py#L24
> Best regards,
> Tatiana
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180314/883f223b/attachment.html>

More information about the OpenStack-dev mailing list