OpenNebula

Currently there is ARP cache poisoning protection and MAC spoofing protection. The same trick should be possible for IPv6 addresses. Currently they are not protected from hijacking. This could be done with the following rules (vnm/ovswitch/OpenvSwitch.rb):

def ipv6_hijack_prevention
add_flow("in_port=#{port},ipv6,ipv6_src=#{@nic[:ip6]}",:normal,47000)
end

Note that if you want to user both arp_cache_poisoning, mac_spoofing and ipv6_hijack_prevention (dual stack network) you need different rules for "arp_cache_poisoning" and "mac_spoofing":

def arp_cache_poisoning
add_flow("in_port=#{port},arp,dl_src=#{@nic[:mac]},nw_src=#{@nic[:ip]}",:normal,45000)
add_flow("in_port=#{port},ip,dl_src=#{@nic[:mac]},nw_src=#{@nic[:ip]}",:normal,46000)
end

def mac_spoofing
add_flow("in_port=#{port}",:drop,39000)
end

This rule "add_flow("in_port=#{port},dl_src=#{@nic[:mac]}",:normal,40000)" creates a too permissive policy for the "ipv6_hijack_prevention" to work (transparent for IPv6), at least according to my tests. These rules are not compatible with each other. I.e. You can't have mac_spoofing and arp_cache_poisoning/ipv6_hijack_prevention at the same time if not all ip(6)'s are administered by ONE. IPv6 (ip6) is currently not available in "vnm" script directories. IPv6 support needs to be added here as well to have this work in the first place. According to # 2318 "ARP cache poisoning" wasn't ment to be a "global switch" enabled by default. But now it is, and in at least in our setups it's impossible to turn it on globally for either arp_cache_poisoning and ipv6_hijack_prevention. IMHO these extra network security features should be made part of a template. With the possibility to have a "default on", either by means of enabling it in "one/vmm_exec/vmm_exec_kvm.conf" or the global switch(es) "remotes/vnm/OpenNebulaNetwork.conf" and by making it a "Restricted attribute". You should be able to override it (diable it), but only as (one)admin.