Re: [smartos-discuss] Testing images w/ SLAAC support for IP spoofing protection

Sun, 15 Nov 2015 23:10:04 -0800 

Hey Cody,
You're right... I had a typo on the create command (ipa instead of ips), not sure how it slipped through. 


Looks good in my limited testing. (Can't test on my other zones as I 
can't destroy them (due to the update_nics bug)


Regards

Jorge

On 2015-11-16 05:21, Cody Mello wrote:

Hey Jorge,

It looks like you're missing the "ips" field, so you're currently
getting your IPv4 addresses through the default behaviour of the
network setup (which is to perform DHCP on NICs which don't have any
addresses configured). If you set "ips" to be [ "dhcp", "addrconf" ],
you should be all set.

- Cody


On Sun, Nov 15, 2015 at 6:31 AM, Jorge Schrauwen 
<[email protected]> wrote:

Hey Cody,

Doesn't seem to be working for me:

SunOS core 5.11 joyent_20151030T184221Z i86pc i386 i86pc

[root@test ~]# ifconfig

lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 
8232

index 1
        inet 127.0.0.1 netmask ff000000

net0: flags=201004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4,CoS> 
mtu 1500

index 2
        inet 172.16.aa.228 netmask ffffff00 broadcast 172.16.aa.255
        ether 82:1b:8e:xx:xx:12

net1: flags=201004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4,CoS> 
mtu 1500

index 3
        inet 172.16.cc.250 netmask ffffff00 broadcast 172.16.cc.255
        ether 82:1b:8e:xx:xx:13

lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 
8252

index 1
        inet6 ::1/128


[root@core ~]# vmadm get 5388abbf-c39e-42eb-a311-e06613a0af91 | json 
nics

[
  {
    "interface": "net0",
    "mac": "82:1b:8e:xx:xx:12",
    "vlan_id": 10,
    "nic_tag": "trunk",
    "mtu": 1500,
    "primary": true
  },
  {
    "interface": "net1",
    "mac": "82:1b:8e:xx:xx:13",
    "vlan_id": 30,
    "nic_tag": "trunk",
    "mtu": 1500
  }
]


I'm using dnsmasq to hand out ra's

##### dnsmasq configuration
### set user/group
user=_dnsmasq
group=_dnsmasq

### logging
## specify syslog facility (- to disable)
log-facility=-

### listen on interface
interface=vio1
interface=vio2
interface=vio3
interface=vio4

### dns
## hosts (import /etc/hosts)
no-hosts
addn-hosts=/etc/dnsmasq.d/hosts

## custom resolvers
resolv-file=/etc/dnsmasq.d/resolvers

## domain configuration
domain=example.org
domain-needed
expand-hosts
bogus-priv
#strict-order

## caching
no-negcache
#cache-size=0

### dhcp
## options
dhcp-authoritative
dhcp-vendorclass=set:pxe,PXEClient
dhcp-option=option:netbios-nodetype,8
dhcp-option=tag:vio1,option6:dns-server,[2001:6f8:yyyy:aa::1]
dhcp-option=tag:vio2,option6:dns-server,[2001:6f8:yyyy:bb::1]
dhcp-option=tag:vio3,option6:dns-server,[2001:6f8:yyyy:cc::1]
dhcp-option=tag:vio4,option6:dns-server,[2001:6f8:yyyy:dd::1]
dhcp-option-force=option:ntp-server,172.16.cc.2
dhcp-option-force=option6:ntp-server,[2001:6f8:yyyy:cc::2]

## ignore
dhcp-ignore=tag:pxe

## static leases
dhcp-hostsfile=/etc/dnsmasq.d/reservations

## ipv4
dhcp-range=tag:vio1,172.16.aa.226,172.16.aa.250,1h
dhcp-range=tag:vio2,172.16.bb.245,172.16.bb.250,7d
dhcp-range=tag:vio3,172.16.cc.245,172.16.cc.250,7d
dhcp-range=tag:vio4,172.16.dd.245,172.16.dd.250,7d

## ipv6
enable-ra
dhcp-range=tag:vio1,2001:6f8:yyyy:aa::,ra-stateless,ra-names,64,1h
dhcp-range=tag:vio2,2001:6f8:yyyy:bb::,ra-stateless,ra-names,64,7d
dhcp-range=tag:vio3,2001:6f8:yyyy:cc::,ra-stateless,ra-names,64,7d
dhcp-range=tag:vio4,2001:6f8:yyyy:dd::,ra-stateless,ra-names,64,7d

FYI: the remove_nics bug is also present in this image

Regards

Jorge



On 2015-11-14 22:10, Cody Mello wrote:


Hey Jorge,

Yep, that's what it does. Much like IP spoofing detection currently
detects DHCP(v6) transactions and adds them to a list of allowed
addresses, this detects the Prefix Information on incoming Router
Advertisements, calculates the modified EUI-64 address, and adds that
to a list of allowed addresses.

- Cody



On Sat, Nov 14, 2015 at 3:45 AM, Jorge Schrauwen 
<[email protected]>

wrote:


Hey Cody,


I'm a bit confused what this does... does this allow me to add 
'addrconf'

to
the ips's array like I can do with dhcp and it will just work (tm)
without
adding the address EUI-64 based address to the allowed_ip list?

Regards

Jorge




On 2015-10-31 00:49, Cody Mello wrote:



Hello all,

Several people on IRC were interested in testing out images w/
support
for SLAAC when using IP spoofing protection. I've done a variety of
tests locally without any issues, and it should just work at this
point. If you want to try it out, you can download images from
here:

https://us-east.manta.joyent.com/cody.mello/public/builds/OS-4667/platform-20151030T184221Z.tgz

https://us-east.manta.joyent.com/cody.mello/public/builds/OS-4667/platform-20151030T184221Z.usb.bz2

https://us-east.manta.joyent.com/cody.mello/public/builds/OS-4667/platform-20151030T184221Z.iso

If you try the images out, please let me know how it goes! If it
 doesn't work for you, please include the output of `vmadm get',
what's
 doing Router Advertisements on your network and its configuration,
and
any other details you think are relevant.

-  Cody




-------------------------------------------
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com






















					Reply via email to