[Openstack-security] [openstack/neutron] SecurityImpact review request change I7c079b779245a0af6bc793564fa8a560e4226afe
gerrit2 at review.openstack.org
gerrit2 at review.openstack.org
Wed Apr 8 22:17:00 UTC 2015
Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/171003
Log:
commit 77f61e9c779ac97663cdbcb1641f87c80161e77d
Author: Kevin Benton <blak111 at gmail.com>
Date: Sun Mar 29 03:37:25 2015 -0700
Add simple ARP spoofing protection
Adds an option to setup OVS rules that will prevent
ports attached to the agent from sending any ARP responses
that contain an IP address not belonging to the port
(in fixed IPs or allowed_address_pairs).
It is disabled by default and requires an OVS version that
can match on ARP fields. If it is too old, traffic will
still flow but it won't have ARP spoofing protection.
There is a sanity check to verify that ARP header matching
is supported.
This prevention is specific to OVS so it will not help with
other plugins that use the reference iptables filtering. A
non-OVS-specific general approach will require something like
the ebtables integration in Ibc6d3d520c1383cf7e00f4bdeb7853a41ac4b14b.
Details:
A new table is added for ARP spoofing prevention. All ARP traffic
on the local switching table is sent to this spoofing table.
The spoofing table will allow all ARP requests because we aren't
interested in them. It will then install an ARP response allow rule
for each IP address the port is assigned. All other ARP responses are
dropped.
DocImpact
SecurityImpact
Partial-Bug: #1274034
Change-Id: I7c079b779245a0af6bc793564fa8a560e4226afe
More information about the Openstack-security
mailing list