1:33 p.m.
Aloha,
I'm using oVirt 4 in my hosting.
However, easily a customer can change the IP to another client (IP spoofing)
In vNIC profiles, altered Network Filter
from "VDSM-on-mac-spoofing" to "no-ip-spoofing"
It worked partially, but if the client power off 'vm' and turn on the
'vm',
he can perform the change in IP
I tried to use eptables, but also had problems
http://ebtables.netfilter.org/examples/basic.html#ex_anti-spoof
What is the best option?
--
---
André Gustavo Timermann
Curitiba/PR - Brasil
3:57 a.m.
New subject: Associate IP addresses to MAC addresses (anti-spoofing rules)
Hi André,
The best separation would be providing a separate network for each customer.
This way you could protect them from other malicious users on your internal networks.
Please describe your env in some more detail.
Thanks,
Marcin
----- Original Message -----
From: "André Gustavo" <andre(a)andregustavo.org>
To: Users(a)ovirt.org
Sent: Monday, September 12, 2016 8:33:40 PM
Subject: [ovirt-users] Associate IP addresses to MAC addresses (anti-spoofing rules)
Aloha,
I'm using oVirt 4 in my hosting.
However, easily a customer can change the IP to another client (IP spoofing)
In vNIC profiles, altered Network Filter
from "VDSM-on-mac-spoofing" to "no-ip-spoofing"
It worked partially, but if the client power off 'vm' and turn on the
'vm',
he can perform the change in IP
I tried to use eptables, but also had problems
http://ebtables.netfilter.org/examples/basic.html#ex_anti-spoof
What is the best option?
--
---
André Gustavo Timermann
Curitiba/PR - Brasil
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
7:49 a.m.
New subject: Associate IP addresses to MAC addresses (anti-spoofing rules)
Andre,
Please also try the clean-traffic filter.
This filter should prevent MAC, IP and ARP spoofing, all in one.
Thanks,
Marcin
----- Original Message -----
From: "Marcin Mirecki" <mmirecki(a)redhat.com>
To: "André Gustavo" <andre(a)andregustavo.org>
Cc: Users(a)ovirt.org
Sent: Tuesday, September 13, 2016 10:57:09 AM
Subject: Re: [ovirt-users] Associate IP addresses to MAC addresses (anti-spoofing rules)
Hi André,
The best separation would be providing a separate network for each customer.
This way you could protect them from other malicious users on your internal
networks.
Please describe your env in some more detail.
Thanks,
Marcin
----- Original Message -----
> From: "André Gustavo" <andre(a)andregustavo.org>
> To: Users(a)ovirt.org
> Sent: Monday, September 12, 2016 8:33:40 PM
> Subject: [ovirt-users] Associate IP addresses to MAC addresses
> (anti-spoofing rules)
>
> Aloha,
>
> I'm using oVirt 4 in my hosting.
>
> However, easily a customer can change the IP to another client (IP
> spoofing)
>
> In vNIC profiles, altered Network Filter
> from "VDSM-on-mac-spoofing" to "no-ip-spoofing"
>
> It worked partially, but if the client power off 'vm' and turn on the
'vm',
> he can perform the change in IP
>
> I tried to use eptables, but also had problems
> http://ebtables.netfilter.org/examples/basic.html#ex_anti-spoof
>
>
> What is the best option?
>
>
> --
> ---
> André Gustavo Timermann
> Curitiba/PR - Brasil
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
4:53 p.m.
I forgot to comment
It is a public network (Public IP)
I have 2 servers and 1 router
I hired a "IP block" that can be accessed through the router
For example:
Network: 165.112.12.112/28
IPs: 165.112.12.113 - 167.114.12.125
Gateway: 165.112.12.126 (router)
I provide to my client a public IP directly in VM
I want to prevent a customer responds by another customer
or take another ip available for himself
----
Since that my client has access to the "User Portal"
The "clean-traffic" filter will prevent it change the ip when it shut down
and restart the VM?
Thanks,
André
2016-09-13 5:57 GMT-03:00 Marcin Mirecki <mmirecki(a)redhat.com>:
Hi André,
The best separation would be providing a separate network for each
customer.
This way you could protect them from other malicious users on your
internal networks.
Please describe your env in some more detail.
Thanks,
Marcin
----- Original Message -----
> From: "André Gustavo" <andre(a)andregustavo.org>
> To: Users(a)ovirt.org
> Sent: Monday, September 12, 2016 8:33:40 PM
> Subject: [ovirt-users] Associate IP addresses to MAC addresses
(anti-spoofing rules)
>
> Aloha,
>
> I'm using oVirt 4 in my hosting.
>
> However, easily a customer can change the IP to another client (IP
spoofing)
>
> In vNIC profiles, altered Network Filter
> from "VDSM-on-mac-spoofing" to "no-ip-spoofing"
>
> It worked partially, but if the client power off 'vm' and turn on the
'vm',
> he can perform the change in IP
>
> I tried to use eptables, but also had problems
> http://ebtables.netfilter.org/examples/basic.html#ex_anti-spoof
>
>
> What is the best option?
>
>
> --
> ---
> André Gustavo Timermann
> Curitiba/PR - Brasil
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
--
---
André Gustavo Timermann
12:49 p.m.
Andre,
The clean-traffic is meant to prevent mac/IP/ARP spoofing.
I am afraid this is the best we can offer out of the box at the moment.
If you are willing to give some additional effort you can try and look at the OVS based
networking (added recently). You could use the vdsm hooks to create some additional
openflow rules on the ovs-switch that would put some constraints on where the traffic is
going.
One more item which is still in a very early development stage is an OVN-provider
(http://openvswitch.org/support/dist-docs/ovn-architecture.7.html).
OVN itself is also still not a ripe project, but is actively being developed.
If you are interested I could update you once we have something working.
Thanks,
Marcin
----- Original Message -----
From: "André Gustavo" <andre(a)andregustavo.org>
To: "Marcin Mirecki" <mmirecki(a)redhat.com>
Cc: Users(a)ovirt.org
Sent: Tuesday, September 13, 2016 11:53:30 PM
Subject: Re: [ovirt-users] Associate IP addresses to MAC addresses (anti-spoofing rules)
I forgot to comment
It is a public network (Public IP)
I have 2 servers and 1 router
I hired a "IP block" that can be accessed through the router
For example:
Network: 165.112.12.112/28
IPs: 165.112.12.113 - 167.114.12.125
Gateway: 165.112.12.126 (router)
I provide to my client a public IP directly in VM
I want to prevent a customer responds by another customer
or take another ip available for himself
----
Since that my client has access to the "User Portal"
The "clean-traffic" filter will prevent it change the ip when it shut down
and restart the VM?
Thanks,
André
2016-09-13 5:57 GMT-03:00 Marcin Mirecki <mmirecki(a)redhat.com>:
> Hi André,
>
> The best separation would be providing a separate network for each
> customer.
> This way you could protect them from other malicious users on your
> internal networks.
> Please describe your env in some more detail.
>
> Thanks,
> Marcin
>
>
>
> ----- Original Message -----
> > From: "André Gustavo" <andre(a)andregustavo.org>
> > To: Users(a)ovirt.org
> > Sent: Monday, September 12, 2016 8:33:40 PM
> > Subject: [ovirt-users] Associate IP addresses to MAC addresses
> (anti-spoofing rules)
> >
> > Aloha,
> >
> > I'm using oVirt 4 in my hosting.
> >
> > However, easily a customer can change the IP to another client (IP
> spoofing)
> >
> > In vNIC profiles, altered Network Filter
> > from "VDSM-on-mac-spoofing" to "no-ip-spoofing"
> >
> > It worked partially, but if the client power off 'vm' and turn on the
> 'vm',
> > he can perform the change in IP
> >
> > I tried to use eptables, but also had problems
> > http://ebtables.netfilter.org/examples/basic.html#ex_anti-spoof
> >
> >
> > What is the best option?
> >
> >
> > --
> > ---
> > André Gustavo Timermann
> > Curitiba/PR - Brasil
> >
> > _______________________________________________
> > Users mailing list
> > Users(a)ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
>
--
---
André Gustavo Timermann
4:17 p.m.
On Thu, Sep 15, 2016 at 8:49 PM, Marcin Mirecki <mmirecki(a)redhat.com> wrote:
Andre,
The clean-traffic is meant to prevent mac/IP/ARP spoofing.
I am afraid this is the best we can offer out of the box at the moment.
If you are willing to give some additional effort you can try and look at
the OVS based
networking (added recently). You could use the vdsm hooks to create some
additional
openflow rules on the ovs-switch that would put some constraints on where
the traffic is going.
One more item which is still in a very early development stage is an
OVN-provider (http://openvswitch.org/support/dist-docs/ovn-
architecture.7.html).
OVN itself is also still not a ripe project, but is actively being
developed.
If you are interested I could update you once we have something working.
Thanks,
Marcin
----- Original Message -----
> From: "André Gustavo" <andre(a)andregustavo.org>
> To: "Marcin Mirecki" <mmirecki(a)redhat.com>
> Cc: Users(a)ovirt.org
> Sent: Tuesday, September 13, 2016 11:53:30 PM
> Subject: Re: [ovirt-users] Associate IP addresses to MAC addresses
(anti-spoofing rules)
>
> I forgot to comment
>
> It is a public network (Public IP)
>
> I have 2 servers and 1 router
> I hired a "IP block" that can be accessed through the router
>
> For example:
>
> Network: 165.112.12.112/28
> IPs: 165.112.12.113 - 167.114.12.125
> Gateway: 165.112.12.126 (router)
>
> I provide to my client a public IP directly in VM
>
> I want to prevent a customer responds by another customer
> or take another ip available for himself
>
> ----
>
> Since that my client has access to the "User Portal"
> The "clean-traffic" filter will prevent it change the ip when it shut
down
> and restart the VM?
This is a security mechanism provided by libvirt to restrict the VM from
communicating
with more than one mac, one IP (and some more restrictions).
If I'm not mistaken, the heuristic (when not set manually in the domxml),
is to lock on the first
source address it detects.
> Thanks,
> André
>
> 2016-09-13 5:57 GMT-03:00 Marcin Mirecki <mmirecki(a)redhat.com>:
>
> > Hi André,
> >
> > The best separation would be providing a separate network for each
> > customer.
> > This way you could protect them from other malicious users on your
> > internal networks.
> > Please describe your env in some more detail.
> >
> > Thanks,
> > Marcin
> >
> >
> >
> > ----- Original Message -----
> > > From: "André Gustavo" <andre(a)andregustavo.org>
> > > To: Users(a)ovirt.org
> > > Sent: Monday, September 12, 2016 8:33:40 PM
> > > Subject: [ovirt-users] Associate IP addresses to MAC addresses
> > (anti-spoofing rules)
> > >
> > > Aloha,
> > >
> > > I'm using oVirt 4 in my hosting.
> > >
> > > However, easily a customer can change the IP to another client (IP
> > spoofing)
> > >
> > > In vNIC profiles, altered Network Filter
> > > from "VDSM-on-mac-spoofing" to "no-ip-spoofing"
> > >
> > > It worked partially, but if the client power off 'vm' and turn on
the
> > 'vm',
> > > he can perform the change in IP
> > >
> > > I tried to use eptables, but also had problems
> > > http://ebtables.netfilter.org/examples/basic.html#ex_anti-spoof
> > >
> > >
> > > What is the best option?
> > >
> > >
> > > --
> > > ---
> > > André Gustavo Timermann
> > > Curitiba/PR - Brasil
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users(a)ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
> > >
> >
>
>
>
> --
> ---
> André Gustavo Timermann
>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
12:47 a.m.
I found an explanation here:
https://www.redhat.com/archives/libvir-list/2010-June/msg00762.html
"If *no <ip address> *is included, the network filter driver will
activate its '*learning mode*'. This uses libpcap to snoop on
network traffic the guest sends and attempts to identify the
first IP address it uses. It then locks traffic to this
address.*Obviously this isn't entirely secure*, but it does offer some
protection against the guest being trojaned once up & running."
According to he says, is created with ebtables rules
As I was doing directly with ebtables
but
"All active guests *immediately* have their iptables/ebtables rules
rebuilt."
I applied the filter and checked on the host, but nothing appears
*[root@host02 ~]# ebtables -L*
*Bridge table: filter*
*Bridge chain: INPUT, entries: 0, policy: ACCEPT*
*Bridge chain: FORWARD, entries: 0, policy: ACCEPT*
*Bridge chain: OUTPUT, entries: 0, policy: ACCEPT*
this post is old (2010), I do not know if there was any change.
But I'll do some tests and see if it works
thank
2016-09-15 18:17 GMT-03:00 Edward Haas <ehaas(a)redhat.com>:
On Thu, Sep 15, 2016 at 8:49 PM, Marcin Mirecki <mmirecki(a)redhat.com>
wrote:
> Andre,
>
> The clean-traffic is meant to prevent mac/IP/ARP spoofing.
> I am afraid this is the best we can offer out of the box at the moment.
>
> If you are willing to give some additional effort you can try and look at
> the OVS based
> networking (added recently). You could use the vdsm hooks to create some
> additional
> openflow rules on the ovs-switch that would put some constraints on where
> the traffic is going.
>
> One more item which is still in a very early development stage is an
> OVN-provider (http://openvswitch.org/support/dist-docs/ovn-architecture.
> 7.html).
> OVN itself is also still not a ripe project, but is actively being
> developed.
> If you are interested I could update you once we have something working.
>
> Thanks,
> Marcin
>
>
> ----- Original Message -----
> > From: "André Gustavo" <andre(a)andregustavo.org>
> > To: "Marcin Mirecki" <mmirecki(a)redhat.com>
> > Cc: Users(a)ovirt.org
> > Sent: Tuesday, September 13, 2016 11:53:30 PM
> > Subject: Re: [ovirt-users] Associate IP addresses to MAC addresses
> (anti-spoofing rules)
> >
> > I forgot to comment
> >
> > It is a public network (Public IP)
> >
> > I have 2 servers and 1 router
> > I hired a "IP block" that can be accessed through the router
> >
> > For example:
> >
> > Network: 165.112.12.112/28
> > IPs: 165.112.12.113 - 167.114.12.125
> > Gateway: 165.112.12.126 (router)
> >
> > I provide to my client a public IP directly in VM
> >
> > I want to prevent a customer responds by another customer
> > or take another ip available for himself
> >
> > ----
> >
> > Since that my client has access to the "User Portal"
> > The "clean-traffic" filter will prevent it change the ip when it shut
> down
> > and restart the VM?
>
This is a security mechanism provided by libvirt to restrict the VM from
communicating
with more than one mac, one IP (and some more restrictions).
If I'm not mistaken, the heuristic (when not set manually in the domxml),
is to lock on the first
source address it detects.
>
> > Thanks,
> > André
> >
> > 2016-09-13 5:57 GMT-03:00 Marcin Mirecki <mmirecki(a)redhat.com>:
> >
> > > Hi André,
> > >
> > > The best separation would be providing a separate network for each
> > > customer.
> > > This way you could protect them from other malicious users on your
> > > internal networks.
> > > Please describe your env in some more detail.
> > >
> > > Thanks,
> > > Marcin
> > >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "André Gustavo" <andre(a)andregustavo.org>
> > > > To: Users(a)ovirt.org
> > > > Sent: Monday, September 12, 2016 8:33:40 PM
> > > > Subject: [ovirt-users] Associate IP addresses to MAC addresses
> > > (anti-spoofing rules)
> > > >
> > > > Aloha,
> > > >
> > > > I'm using oVirt 4 in my hosting.
> > > >
> > > > However, easily a customer can change the IP to another client (IP
> > > spoofing)
> > > >
> > > > In vNIC profiles, altered Network Filter
> > > > from "VDSM-on-mac-spoofing" to "no-ip-spoofing"
> > > >
> > > > It worked partially, but if the client power off 'vm' and turn
on
> the
> > > 'vm',
> > > > he can perform the change in IP
> > > >
> > > > I tried to use eptables, but also had problems
> > > > http://ebtables.netfilter.org/examples/basic.html#ex_anti-spoof
> > > >
> > > >
> > > > What is the best option?
> > > >
> > > >
> > > > --
> > > > ---
> > > > André Gustavo Timermann
> > > > Curitiba/PR - Brasil
> > > >
> > > > _______________________________________________
> > > > Users mailing list
> > > > Users(a)ovirt.org
> > > > http://lists.ovirt.org/mailman/listinfo/users
> > > >
> > >
> >
> >
> >
> > --
> > ---
> > André Gustavo Timermann
> >
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
--
---
André Gustavo Timermann
2991
days inactive
2995
days old
6 comments
3 participants
participants (3)
-
André Gustavo -
Edward Haas -
Marcin Mirecki