Comment 5 for bug 1558658
Revision history for this message
| Dustin Lundquist (dlundquist) wrote Re: Security Groups do not prevent MAC and/or IPv4 spoofing in DHCP requests | #5 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Tristan,
It's reasonable to assume IPv4 is much more widely deployed than IPv6, so the public IPv6 bug a significantly smaller number of installations. That being said, it wasn't a very difficult to examine the IPv4 case for the same vulnerability as the IPv6 case, so don't believe there is significant value in maintaining the embargo.
Armando,
Neutron presently maintains an ebtables chain for each instance port to prevent MAC spoofing, the overhead of expanding this to validate all source MAC as well as ARP messages is one additional rule in this chain (ebtables allows matching against multiple MAC addresses in a single rule). If Neutron chooses not to address this, first-hop security expectations should to be clearly defined in a policy somewhere so operators can make informed decisions on how they deploy Neutron.