networking-ovn

Implement source IP spoofing protection

Bug #1533225 reported by Kyle Mestery on 2016-01-12

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	networking-ovn	Fix Released	High	Numan Siddique

Bug Description

Currently, networking-ovn isn't doing any spoofing protection for source IP.

Tags:

Revision history for this message

Russell Bryant (russellb) wrote on 2016-01-12:

#1

I think we can just add an ACL row for this.

Changed in networking-ovn:
status:	New → Confirmed
importance:	Undecided → High

Revision history for this message

Han Zhou (zhouhan) wrote on 2016-01-12:

#2

Should it be implemented by port-security?

OVN already has the schema for port-security but it is only with MAC. I think we should update OVN to support MAC + IP and then in plugin we can add it to port_security when constructing ovn_port_info.

Revision history for this message

Russell Bryant (russellb) wrote on 2016-01-12:

#3

Yes, that's another option. I remember discussing an updated schema for port security that included the ability to specify IP addresses, but I don't think it has been implemented yet.

We could accomplish the goal using ACLs today, but ideally we should use port_security once that work is completed.

Revision history for this message

Numan Siddique (numansiddique) wrote on 2016-01-13:

#4

I think this thread has the discussion about port security and allowed addres pairs.
http://openvswitch.org/pipermail/dev/2015-July/057141.html

I was looking into the other bug on allowed address pair support in ovn. I guess its better to have port-security support first.
I can look into updating port security to support MAC + IP in OVN if no is looking into this already.

Revision history for this message

Han Zhou (zhouhan) wrote on 2016-01-13:

#5

@Numan, yes, it would be great to support in OVN first. Thank you for working on it.

Numan Siddique (numansiddique) on 2016-01-13

Changed in networking-ovn:
assignee:	nobody → Numan Siddique (numansiddique)

Revision history for this message

Russell Bryant (russellb) wrote on 2016-01-13:

#6

Thanks, Numan! Yes, that's the proposal I had in mind.

Numan Siddique (numansiddique) on 2016-02-22

tags:	added: ovn-upstream
Changed in networking-ovn:
status:	Confirmed → In Progress

Revision history for this message

Numan Siddique (numansiddique) wrote on 2016-06-07:

#7

This is addressed in the port security support.

Changed in networking-ovn:
status:	In Progress → Fix Committed

Russell Bryant (russellb) on 2016-07-20

Changed in networking-ovn:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.