<div dir="auto">Do you need to spoof arbitrary addresses? If not (i.e. a set you know ahead of time), you can put entries in the allowed_address_pairs field of the port that will allow you to send traffic using other MAC/IPs.</div><div class="gmail_extra"><br><div class="gmail_quote">On Mar 19, 2018 8:42 PM, "Vadim Ponomarev" <<a href="mailto:ponomarev@selectel.ru">ponomarev@selectel.ru</a>> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div><br>I support, that is a problem. It's unclear, how after removing the option prevent_arp_spoofing, I can manage the prevent ARP spoofing mechanism. Example: I use security groups but I don't want to use ARP spoofing protection. How do I can disable the protection?<br></div></div><div class="gmail_extra"><div class="elided-text"><br><div class="gmail_quote">2018-03-14 10:26 GMT+03:00 Tatiana Kholkina <span dir="ltr"><<a href="mailto:holkina@selectel.ru" target="_blank" rel="noreferrer">holkina@selectel.ru</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Sure, there is an ability to enable ARP spoofing for the port/network, but it is impossible to make it enabled by default for all ports.<div>It looks a bit complicated to me and I think it would be better to have an ability to set default port security via config file.</div><div><br></div><div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Best regards,</span></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Tatiana</span></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2018-03-13 15:10 GMT+03:00 Claudiu Belu <span dir="ltr"><<a href="mailto:cbelu@cloudbasesolutions.com" target="_blank" rel="noreferrer">cbelu@cloudbasesolutions.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">




<div>
<div style="direction:ltr;font-family:Tahoma;color:#000000;font-size:10pt">Hi,<br>
<br>
Indeed ARP spoofing is prevented by default, but AFAIK, if you want it enabled for a port / network, you can simply disable the security groups on that neutron network / port.<br>
<br>
Best regards,<br>
<br>
Claudiu Belu<br>
<br>
<div style="font-family:Times New Roman;color:#000000;font-size:16px">
<hr>
<div id="m_1915042392102507057m_6589341003032362246m_-9048447337040272059divRpF369882" style="direction:ltr"><font size="2" face="Tahoma" color="#000000"><b>From:</b> Татьяна Холкина [<a href="mailto:holkina@selectel.ru" target="_blank" rel="noreferrer">holkina@selectel.ru</a>]<br>
<b>Sent:</b> Tuesday, March 13, 2018 12:54 PM<br>
<b>To:</b> <a href="mailto:openstack-dev@lists.openstack.org" target="_blank" rel="noreferrer">openstack-dev@lists.openstack.org</a><br>
<b>Subject:</b> [openstack-dev] [neutron] Prevent ARP spoofing<br>
</font><br>
</div><div><div class="m_1915042392102507057m_6589341003032362246h5">
<div></div>
<div>
<div dir="ltr">Hi,
<div>I'm using an ocata release of OpenStack where the option prevent_arp_spoofing can be managed via conf. But later in pike it was removed and it was decided to prevent spoofing by default.<br>
</div>
<div>There are cases where security features should be disabled. As I can see now we can use a port_security option for these cases. But this option should be set for a particular port or network on create. The default value is set to True [1] and it<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);float:none;display:inline">t
 is impossible to change it</span>. I'd like to suggest to get default value for port_security [2] from config option.</div>
<div>It would be nice to know your opinion.<br>
</div>
<div><br>
</div>
<div>[1] <a href="https://github.com/openstack/neutron-lib/blob/stable/queens/neutron_lib/api/definitions/port_security.py#L21" target="_blank" rel="noreferrer">https://github.com/openstack/neutron-lib/blob/stable/queens/neutron_lib/api/definitions/port_security.py#L21</a></div>
<div>[2] <span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);float:none;display:inline"><a href="https://github.com/openstack/neutron/blob/stable/queens/neutron/objects/extensions/port_security.py#L24" target="_blank" rel="noreferrer">https://github.com/openstack/neutron/blob/stable/queens/neutron/objects/extensions/port_security.py#L24</a></span></div>
<div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);float:none;display:inline"><br>
</span></div>
<div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);float:none;display:inline">Best
 regards,</span></div>
<div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);float:none;display:inline">Tatiana</span></div>
</div>
</div>
</div></div></div>
</div>
</div>

<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div></div><div class="signature-text">-- <br><div class="m_1915042392102507057gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><font face="tahoma, sans-serif" color="#999999"><span style="font-size:12.8px">Best regards,</span><br>Vadim Ponomarev<br>Developer of network automation department at Selectel Ltd.<br><br><span style="font-size:12.8px">----</span><br><span style="font-size:12.8px">This message may contain confidential information that can't be distributed without the consent of the sender or the authorized person </span><span style="font-size:12.8px">Selectel Ltd</span><span style="font-size:12.8px">.</span></font></div></div></div></div></div>
</div></div><div class="elided-text">
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div></blockquote></div><br></div>