Erik Nordmark wrote: > That is why I think the general notion of acls is misplaced. We just > need three things AFAIK: > - verify the source MAC address > - only the normal set of three Ethernet types (I actually don't think > that list needs to be configurable - an on/off switch might make sense) > to prevent bad domUs from messing with Bridge PDUs or VLAN tags themselves. > - prevent ARP/DHCP spoofing > > Note that the case for the third one is different than for the first > two. The first two are quite analogous to the restrictions at L3 for an > unprivileged application (can't send using any source nor any IP > protocol type). The real solution for the third issue lies in new > protocols that can prevent ARP/DHCP spoofing on public networks. We have > Secure Neighbor Discovery for SeND and the SAVI WG is working on > something for IPv4. But in the cloud computing environments that folks > want to deploy to the public (i.e., multi-tenants that don't trust each > other) we'd like to have a solution which can be deployed sooner rather > than later.
Stopping the use of "faked" Ethernet source addresses certainly sounds to me like an extension of the existing L3 privilege mechanism: there should be a new privilege that controls whether a given process can send packets with a different MAC source. (One problem with that is that I don't know how DomUs and privileges line up. It seems "obvious" that DomU access to Dom0-owned devices should be subject to LP just like everything else, but it's possible that's not the case.) Anti-spoofing of the contents of ARP, DHCP, or other messages, though, sounds like filtering, and it having it inside dladm -- though expedient -- doesn't sound to me like a good long-term answer. > BTW: Can IP Filter be used to prevent a client from spoofing the DHCP > client ID or chaddr? Not today. But what on Earth does "spoofing" mean in the context of client ID? The client ID isn't the MAC address. It's just an arbitrary string of bytes that happens to identify a client. There's no obvious way to know whether a given client ID "belongs" to a given client. Unlike a MAC address, it's not assigned by any centralized means.
