neutron macip spoof - HehuaTang/openstack- GitHub Wiki

OpenStack -- arp-spoofing / mac-spoofing 11 SEP 2016 Backgroup Neutron has security for arp spoofing and mac spoofing by default. The blog will introduce what’s arp spoofing and mac spoofing, how neutron do it in openvswitch.

What’s ARP Spoofing and MAC Spoofing? After VM boot in Openstack, the VM will get mac and ip from neutron. Technically, End User can change the IP and MAC in the VM, by this way, user can attack other VMs.

ARP Spoofing VMs will use ARP to get MAC address, Attacker can send out ARP response with his IP to fresh other VM’s the ARP Cache. So Neutron will only allow VM send out ARP response with its IP by default.

MAC Spoofing VMs technically can send out packet with other MACs which is not allocated by Neutron. So Neutron will only allow VM send out MAC with neutron allocated.

Note: Neutron use iptables to anti-ip spoofing(only allowed send out IP packet with the ip address which allocated by neutron), this blog will not cover this part.