The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning.
When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature:
- no-mac-spoofing
- no-ip-spoofing
- no-arp-spoofing
- nova-no-nd-reflection
- allow-dhcp-server
Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules.
This is a security vulnerability, especially on shared networks.
The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. nd-reflection
When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature:
- no-mac-spoofing
- no-ip-spoofing
- no-arp-spoofing
- nova-no-
- allow-dhcp-server
Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules.
This is a security vulnerability, especially on shared networks.