Preventing ARP spoofing via ebtables
This blueprint describes a solution for bug 1274034 (https:/
We propose the addition of an 'ebtables manager', which drives the ebtables utility to add/remove filters on the Ethernet frame level. Whenever a new port for a VM is created, we use ebtables to also create frame-level filters, which prevent any gratuitous ARP broadcasts or ARP replies from that port, unless the actual assigned MAC address of that VMs interface is used as source.
An original attempt was made by Édouard Thuleau, who submitted the now abandoned patch: https:/
We propose to implement the ebtables-manager exactly the way Édouard did. However, his patch also changes a lot of code inside of the iptables firewall code, since it replaced several iptables filtering rules with new ebtables rules. This approach was rejected by the community, since the iptables code was seen in need of a re-write and shouldn't be changed at this point.
Therefore, we propose that ebtables are only going to be used for the ARP spoof filter and nothing else at this point. Then, only very small hooks need to be inserted in the iptables code, which merely call upon the ebtables code when ports are created or destroyed. The iptabled functionality would not be changed at all. The overall impact on the existing iptables code is just a few lines.
Blueprint information
- Status:
- Complete
- Approver:
- Kyle Mestery
- Priority:
- High
- Drafter:
- Juergen Brendel
- Direction:
- Approved
- Assignee:
- None
- Definition:
- Approved
- Series goal:
- None
- Implementation:
- Implemented
- Milestone target:
- None
- Started by
- Kyle Mestery
- Completed by
- Armando Migliaccio
Whiteboard
This eventually made it.
March-17 (mestery): Moving out of Kilo, we've run out of time.
February-2 (mestery): Moving to Kilo-3.
December-18 (mestery): Kilo-2.
Gerrit topic: https:/
Addressed by: https:/
Close ARP spoofing vulnerability
Addressed by: https:/
ARP spoofing patch: Data structures for rules.
Addressed by: https:/
ARP spoofing patch: Ebtables manager
Addressed by: https:/
ARP spoofing patch: Ebtables/iptables integration
Gerrit topic: https:/
Addressed by: https:/
Merge branch 'master' into neutron-pecan