Comment 0 for bug 1274034

Édouard Thuleau (ethuleau) wrote :

The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning.
When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature:
- no-mac-spoofing
- no-ip-spoofing
- no-arp-spoofing
- nova-no-nd-reflection
- allow-dhcp-server

Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules.

This is a security vulnerability, especially on shared networks.