Backlog #3181

IPv6 hijacking prevention

Added by Stefan Kooman almost 7 years ago. Updated over 6 years ago.

Status:PendingStart date:09/04/2014
Priority:HighDue date:
Assignee:Jaime Melis% Done:

0%

Category:Drivers - Network
Target version:-

Description

Currently there is ARP cache poisoning protection and MAC spoofing protection. The same trick should be possible for IPv6 addresses. Currently they are not protected from hijacking. This could be done with the following rules (vnm/ovswitch/OpenvSwitch.rb):

def ipv6_hijack_prevention
add_flow("in_port=#{port},ipv6,ipv6_src=#{@nic[:ip6]}",:normal,47000)
end

Note that if you want to user both arp_cache_poisoning, mac_spoofing and ipv6_hijack_prevention (dual stack network) you need different rules for "arp_cache_poisoning" and "mac_spoofing":

def arp_cache_poisoning
add_flow("in_port=#{port},arp,dl_src=#{@nic[:mac]},nw_src=#{@nic[:ip]}",:normal,45000)
add_flow("in_port=#{port},ip,dl_src=#{@nic[:mac]},nw_src=#{@nic[:ip]}",:normal,46000)
end

def mac_spoofing
add_flow("in_port=#{port}",:drop,39000)
end

This rule "add_flow("in_port=#{port},dl_src=#{@nic[:mac]}",:normal,40000)" creates a too permissive policy for the "ipv6_hijack_prevention" to work (transparent for IPv6), at least according to my tests. These rules are not compatible with each other. I.e. You can't have mac_spoofing and arp_cache_poisoning/ipv6_hijack_prevention at the same time if not all ip(6)'s are administered by ONE. IPv6 (ip6) is currently not available in "vnm" script directories. IPv6 support needs to be added here as well to have this work in the first place. According to # 2318 "ARP cache poisoning" wasn't ment to be a "global switch" enabled by default. But now it is, and in at least in our setups it's impossible to turn it on globally for either arp_cache_poisoning and ipv6_hijack_prevention. IMHO these extra network security features should be made part of a template. With the possibility to have a "default on", either by means of enabling it in "one/vmm_exec/vmm_exec_kvm.conf" or the global switch(es) "remotes/vnm/OpenNebulaNetwork.conf" and by making it a "Restricted attribute". You should be able to override it (diable it), but only as (one)admin.

History

#1 Updated by Ruben S. Montero almost 7 years ago

  • Category set to Drivers - VM
  • Status changed from Pending to New
  • Target version set to Release 4.10

Thanks for the heads up :)

#2 Updated by Ruben S. Montero almost 7 years ago

  • Category changed from Drivers - VM to Drivers - Network

#3 Updated by Ruben S. Montero almost 7 years ago

  • Assignee set to Jaime Melis

#4 Updated by Ruben S. Montero over 6 years ago

  • Tracker changed from Feature to Backlog
  • Status changed from New to Pending
  • Priority changed from Normal to High
  • Target version deleted (Release 4.10)

Finally, this won't make it for 4.10. I'm moving it to backlog with high priority for the next one.

Also available in: Atom PDF