[openstack-dev] [neutron] Prevent ARP spoofing

Vadim Ponomarev ponomarev at selectel.ru
Mon Mar 19 09:38:56 UTC 2018


Hi,

I support, that is a problem. It's unclear, how after removing the option
prevent_arp_spoofing, I can manage the prevent ARP spoofing mechanism.
Example: I use security groups but I don't want to use ARP spoofing
protection. How do I can disable the protection?

2018-03-14 10:26 GMT+03:00 Tatiana Kholkina <holkina at selectel.ru>:

> Sure, there is an ability to enable ARP spoofing for the port/network, but
> it is impossible to make it enabled by default for all ports.
> It looks a bit complicated to me and I think it would be better to have an
> ability to set default port security via config file.
>
> Best regards,
> Tatiana
>
> 2018-03-13 15:10 GMT+03:00 Claudiu Belu <cbelu at cloudbasesolutions.com>:
>
>> Hi,
>>
>> Indeed ARP spoofing is prevented by default, but AFAIK, if you want it
>> enabled for a port / network, you can simply disable the security groups on
>> that neutron network / port.
>>
>> Best regards,
>>
>> Claudiu Belu
>>
>> ------------------------------
>> *From:* Татьяна Холкина [holkina at selectel.ru]
>> *Sent:* Tuesday, March 13, 2018 12:54 PM
>> *To:* openstack-dev at lists.openstack.org
>> *Subject:* [openstack-dev] [neutron] Prevent ARP spoofing
>>
>> Hi,
>> I'm using an ocata release of OpenStack where the option
>> prevent_arp_spoofing can be managed via conf. But later in pike it was
>> removed and it was decided to prevent spoofing by default.
>> There are cases where security features should be disabled. As I can see
>> now we can use a port_security option for these cases. But this option
>> should be set for a particular port or network on create. The default value
>> is set to True [1] and itt is impossible to change it. I'd like to
>> suggest to get default value for port_security [2] from config option.
>> It would be nice to know your opinion.
>>
>> [1] https://github.com/openstack/neutron-lib/blob/stable/
>> queens/neutron_lib/api/definitions/port_security.py#L21
>> [2] https://github.com/openstack/neutron/blob/stable/queens/
>> neutron/objects/extensions/port_security.py#L24
>>
>> Best regards,
>> Tatiana
>>
>> ____________________________________________________________
>> ______________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscrib
>> e
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Best regards,
Vadim Ponomarev
Developer of network automation department at Selectel Ltd.

----
This message may contain confidential information that can't be distributed
without the consent of the sender or the authorized person Selectel Ltd.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180319/06d1865a/attachment.html>


More information about the OpenStack-dev mailing list