Re: [smartos-discuss] Testing images w/ SLAAC support for IP spoofing protection

Sun, 15 Nov 2015 06:35:37 -0800 

Hey Cody,

Doesn't seem to be working for me:

SunOS core 5.11 joyent_20151030T184221Z i86pc i386 i86pc

[root@test ~]# ifconfig
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 
        inet 127.0.0.1 netmask ff000000
net0: flags=201004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4,CoS> mtu 1500 index 2 
        inet 172.16.aa.228 netmask ffffff00 broadcast 172.16.aa.255
        ether 82:1b:8e:xx:xx:12
net1: flags=201004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4,CoS> mtu 1500 index 3 
        inet 172.16.cc.250 netmask ffffff00 broadcast 172.16.cc.255
        ether 82:1b:8e:xx:xx:13
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1 
        inet6 ::1/128
[root@core ~]# vmadm get 5388abbf-c39e-42eb-a311-e06613a0af91 | json nics 
[
  {
    "interface": "net0",
    "mac": "82:1b:8e:xx:xx:12",
    "vlan_id": 10,
    "nic_tag": "trunk",
    "mtu": 1500,
    "primary": true
  },
  {
    "interface": "net1",
    "mac": "82:1b:8e:xx:xx:13",
    "vlan_id": 30,
    "nic_tag": "trunk",
    "mtu": 1500
  }
]


I'm using dnsmasq to hand out ra's

##### dnsmasq configuration
### set user/group
user=_dnsmasq
group=_dnsmasq

### logging
## specify syslog facility (- to disable)
log-facility=-

### listen on interface
interface=vio1
interface=vio2
interface=vio3
interface=vio4

### dns
## hosts (import /etc/hosts)
no-hosts
addn-hosts=/etc/dnsmasq.d/hosts

## custom resolvers
resolv-file=/etc/dnsmasq.d/resolvers

## domain configuration
domain=example.org
domain-needed
expand-hosts
bogus-priv
#strict-order

## caching
no-negcache
#cache-size=0

### dhcp
## options
dhcp-authoritative
dhcp-vendorclass=set:pxe,PXEClient
dhcp-option=option:netbios-nodetype,8
dhcp-option=tag:vio1,option6:dns-server,[2001:6f8:yyyy:aa::1]
dhcp-option=tag:vio2,option6:dns-server,[2001:6f8:yyyy:bb::1]
dhcp-option=tag:vio3,option6:dns-server,[2001:6f8:yyyy:cc::1]
dhcp-option=tag:vio4,option6:dns-server,[2001:6f8:yyyy:dd::1]
dhcp-option-force=option:ntp-server,172.16.cc.2
dhcp-option-force=option6:ntp-server,[2001:6f8:yyyy:cc::2]

## ignore
dhcp-ignore=tag:pxe

## static leases
dhcp-hostsfile=/etc/dnsmasq.d/reservations

## ipv4
dhcp-range=tag:vio1,172.16.aa.226,172.16.aa.250,1h
dhcp-range=tag:vio2,172.16.bb.245,172.16.bb.250,7d
dhcp-range=tag:vio3,172.16.cc.245,172.16.cc.250,7d
dhcp-range=tag:vio4,172.16.dd.245,172.16.dd.250,7d

## ipv6
enable-ra
dhcp-range=tag:vio1,2001:6f8:yyyy:aa::,ra-stateless,ra-names,64,1h
dhcp-range=tag:vio2,2001:6f8:yyyy:bb::,ra-stateless,ra-names,64,7d
dhcp-range=tag:vio3,2001:6f8:yyyy:cc::,ra-stateless,ra-names,64,7d
dhcp-range=tag:vio4,2001:6f8:yyyy:dd::,ra-stateless,ra-names,64,7d

FYI: the remove_nics bug is also present in this image

Regards

Jorge


On 2015-11-14 22:10, Cody Mello wrote:

Hey Jorge,

Yep, that's what it does. Much like IP spoofing detection currently
detects DHCP(v6) transactions and adds them to a list of allowed
addresses, this detects the Prefix Information on incoming Router
Advertisements, calculates the modified EUI-64 address, and adds that
to a list of allowed addresses.

- Cody
On Sat, Nov 14, 2015 at 3:45 AM, Jorge Schrauwen <[email protected]> wrote: 
Hey Cody,
I'm a bit confused what this does... does this allow me to add 'addrconf' to the ips's array like I can do with dhcp and it will just work (tm) without 
adding the address EUI-64 based address to the allowed_ip list?

Regards

Jorge




On 2015-10-31 00:49, Cody Mello wrote:


Hello all,

Several people on IRC were interested in testing out images w/
support
for SLAAC when using IP spoofing protection. I've done a variety of
tests locally without any issues, and it should just work at this
point. If you want to try it out, you can download images from here:

https://us-east.manta.joyent.com/cody.mello/public/builds/OS-4667/platform-20151030T184221Z.tgz

https://us-east.manta.joyent.com/cody.mello/public/builds/OS-4667/platform-20151030T184221Z.usb.bz2

https://us-east.manta.joyent.com/cody.mello/public/builds/OS-4667/platform-20151030T184221Z.iso

If you try the images out, please let me know how it goes! If it
 doesn't work for you, please include the output of `vmadm get',
what's
 doing Router Advertisements on your network and its configuration,
and
any other details you think are relevant.

-  Cody




-------------------------------------------
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Reply via email to