[openstack-dev] [neutron] Prevent ARP spoofing
holkina at selectel.ru
Wed Mar 14 07:26:36 UTC 2018
Sure, there is an ability to enable ARP spoofing for the port/network, but
it is impossible to make it enabled by default for all ports.
It looks a bit complicated to me and I think it would be better to have an
ability to set default port security via config file.
2018-03-13 15:10 GMT+03:00 Claudiu Belu <cbelu at cloudbasesolutions.com>:
> Indeed ARP spoofing is prevented by default, but AFAIK, if you want it
> enabled for a port / network, you can simply disable the security groups on
> that neutron network / port.
> Best regards,
> Claudiu Belu
> *From:* Татьяна Холкина [holkina at selectel.ru]
> *Sent:* Tuesday, March 13, 2018 12:54 PM
> *To:* openstack-dev at lists.openstack.org
> *Subject:* [openstack-dev] [neutron] Prevent ARP spoofing
> I'm using an ocata release of OpenStack where the option
> prevent_arp_spoofing can be managed via conf. But later in pike it was
> removed and it was decided to prevent spoofing by default.
> There are cases where security features should be disabled. As I can see
> now we can use a port_security option for these cases. But this option
> should be set for a particular port or network on create. The default value
> is set to True  and itt is impossible to change it. I'd like to
> suggest to get default value for port_security  from config option.
> It would be nice to know your opinion.
>  https://github.com/openstack/neutron-lib/blob/
>  https://github.com/openstack/neutron/blob/stable/
> Best regards,
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev