Preventing ARP spoofing via ebtables

Registered by Juergen Brendel on 2014-10-16

This blueprint describes a solution for bug 1274034 (https://bugs.launchpad.net/neutron/+bug/1274034).

We propose the addition of an 'ebtables manager', which drives the ebtables utility to add/remove filters on the Ethernet frame level. Whenever a new port for a VM is created, we use ebtables to also create frame-level filters, which prevent any gratuitous ARP broadcasts or ARP replies from that port, unless the actual assigned MAC address of that VMs interface is used as source.

An original attempt was made by Édouard Thuleau, who submitted the now abandoned patch: https://review.openstack.org/#/c/70067/

We propose to implement the ebtables-manager exactly the way Édouard did. However, his patch also changes a lot of code inside of the iptables firewall code, since it replaced several iptables filtering rules with new ebtables rules. This approach was rejected by the community, since the iptables code was seen in need of a re-write and shouldn't be changed at this point.

Therefore, we propose that ebtables are only going to be used for the ARP spoof filter and nothing else at this point. Then, only very small hooks need to be inserted in the iptables code, which merely call upon the ebtables code when ports are created or destroyed. The iptabled functionality would not be changed at all. The overall impact on the existing iptables code is just a few lines.

Blueprint information

Status:
Complete
Approver:
Kyle Mestery
Priority:
High
Drafter:
Juergen Brendel
Direction:
Approved
Assignee:
None
Definition:
Approved
Series goal:
None
Implementation:
Implemented
Milestone target:
None
Started by
Kyle Mestery on 2014-12-18
Completed by
Armando Migliaccio on 2015-11-13

Related branches

Sprints

Whiteboard

This eventually made it.

March-17 (mestery): Moving out of Kilo, we've run out of time.

February-2 (mestery): Moving to Kilo-3.

December-18 (mestery): Kilo-2.

Gerrit topic: https://review.openstack.org/#q,topic:bug/1274034,n,z

Addressed by: https://review.openstack.org/141130
    Close ARP spoofing vulnerability

Addressed by: https://review.openstack.org/157097
    ARP spoofing patch: Data structures for rules.

Addressed by: https://review.openstack.org/157634
    ARP spoofing patch: Ebtables manager

Addressed by: https://review.openstack.org/158491
    ARP spoofing patch: Ebtables/iptables integration

Gerrit topic: https://review.openstack.org/#q,topic:bug/1430394,n,z

Addressed by: https://review.openstack.org/185072
    Merge branch 'master' into neutron-pecan

(?)

Work Items