Re: NDP and ebtables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

Jonathan Tripathy a écrit :
> 
> I'm just trailing out ipv6 on my network. Currently, all my bridge ports 
> are protected from MAC address spoofing by using ebtables:
> 
> /usr/local/sbin/ebtables -I FORWARD -p ARP -o "$vif" -j ACCEPT
> /usr/local/sbin/ebtables -I FORWARD -i "$vif" -s "$mac" -j ACCEPT
> /usr/local/sbin/ebtables -I FORWARD -o "$vif" -d "$mac" -j ACCEPT
> 
> As you can see above, I allow all ARP packets to flow to the host 
> (who-has). This allows ARP resolution to work. Is-at works at the source 
> MAC address is set in the frame.
> 
> However, adding IPv6 to the mix is a little trickier. As it turns out, 
> IPv6 doesn't use ARP, but uses NDP.
> 
> Is there any way to make NDP work with ebtables, but still preventing 
> MAC address spoofing?

Sure : don't filter on the destination address, or at least accept
related multicast addresses (see "ip -f link maddr" on the host).

Spoofing is about the source, not the destination. If the bridge code
decides to forward a packet to some port even when the destination
address is not the address of a host connected to that port, it has some
reason to do so :
- the destination is multicast of broadcast,
- the destination is unicast but unknown, thus treated as broadcast.

You can safely drop in the latter case, not in the former.

Note that your 3rd rule accepts packets from any source address, thus
not preventing spoofing.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux