openstack
/
neutron
Code Issues Proposed changes
neutron/neutron
History
Kevin Benton aa7356b729 Add simple ARP spoofing protection 
Adds an option to setup OVS rules that will prevent
ports attached to the agent from sending any ARP responses
that contain an IP address not belonging to the port
(in fixed IPs or allowed_address_pairs).

It is disabled by default and requires an OVS version that
can match on ARP fields. If it is too old, traffic will
still flow but it won't have ARP spoofing protection.
There is a sanity check to verify that ARP header matching
is supported.

This prevention is specific to OVS so it will not help with
other plugins that use the reference iptables filtering. A
non-OVS-specific general approach will require something like
the ebtables integration in Ibc6d3d520c1383cf7e00f4bdeb7853a41ac4b14b.

Details:
A new table is added for ARP spoofing prevention. All ARP traffic
on the local switching table is sent to this spoofing table.
The spoofing table will allow all ARP requests because we aren't
interested in them. It will then install an ARP response allow rule
for each IP address the port is assigned. All other ARP responses are
dropped.

DocImpact
SecurityImpact
Partial-Bug: #1274034

Change-Id: I7c079b779245a0af6bc793564fa8a560e4226afe
 		2015-03-29 20:57:07 -07:00
..
agent Add simple ARP spoofing protection 2015-03-29 20:57:07 -07:00
api Merge "Move network MTU from core REST API to extension API" 2015-04-04 20:13:55 +00:00
callbacks Migrate to oslo.log 2015-03-12 11:22:56 +01:00
cmd Add simple ARP spoofing protection 2015-03-29 20:57:07 -07:00
common Merge "Implement default subnet pool configuration settings" 2015-04-01 21:54:03 +00:00
db Merge "Fix docstring for l3_dvr_db.dvr_vmarp_table_update" 2015-04-06 22:33:45 +00:00
debug Migrate to oslo.log 2015-03-12 11:22:56 +01:00
extensions Move network MTU from core REST API to extension API 2015-04-02 12:48:56 -04:00
hacking Migrate to oslo.log 2015-03-12 11:22:56 +01:00
ipam Simple subnetpool allocation quotas 2015-03-31 20:56:31 +00:00
locale Imported Translations from Transifex 2015-04-03 06:13:58 +00:00
notifiers Reuse nova batch notifier 2015-03-20 13:55:08 +00:00
openstack Migrate to oslo.log 2015-03-12 11:22:56 +01:00
plugins Add simple ARP spoofing protection 2015-03-29 20:57:07 -07:00
scheduler Fix a usage error of joinedload + filter in l3 scheduler 2015-03-25 15:06:21 +09:00
server Migrate to oslo.log 2015-03-12 11:22:56 +01:00
services Refactoring cleanup for L3 agent callbacks 2015-04-03 11:09:28 -04:00
tests Add simple ARP spoofing protection 2015-03-29 20:57:07 -07:00
__init__.py Revert "monkey patch stdlib before importing other modules" 2015-02-11 17:26:33 -08:00
auth.py Migrate to oslo.log 2015-03-12 11:22:56 +01:00
context.py Remove "Arguments dropped when creating context" logging 2015-04-01 09:38:21 -04:00
hooks.py Remove the useless vim modelines 2014-06-21 15:07:31 +08:00
i18n.py oslo: migrate to namespace-less import paths 2015-02-05 15:09:32 +01:00
manager.py Migrate to oslo.log 2015-03-12 11:22:56 +01:00
neutron_plugin_base_v2.py Basic subnetpool CRUD 2015-03-18 22:53:50 -07:00
policy.py Merge "Enable to apply policies to resources with special plural" 2015-04-01 08:04:45 +00:00
quota.py Treat all negative quota values as -1 2015-04-02 17:26:51 +05:30
service.py Revert "Set default of api_workers to number of CPUs" 2015-03-16 17:23:44 -07:00
version.py Remove the useless vim modelines 2014-06-21 15:07:31 +08:00
wsgi.py Merge "Start metadata agent without trying to connect db" 2015-03-23 16:45:05 +00:00