[ovs-dev] [PATCH] Add Nicira extension to OpenFlow for dropping spoofed ARP packets.
jesse at nicira.com
Wed Aug 25 21:33:08 PDT 2010
On Tue, Aug 24, 2010 at 7:03 PM, Ben Pfaff <blp at nicira.com> wrote:
>> Even with this and appropriate MAC and IP flows you can still poison
>> someone's ARP cache (by responding with someone else's IP). You may not
>> able to see their traffic but you can DoS them.
> The IP fields in the ARP packet are part of the flow, so it's the
> controller's problem to ensure that the host can't poison someone's ARP
> cache, by using flows to restrict the possible responses. We only need
> this action because the MAC fields in the ARP packet are not part of the
Right, it completely slipped my mind that we were already copying the
IP addresses into the flow.
>> If this is used on a datapath that doesn't support this action (i.e. the
>> userspace datapath) it will be silently ignored, right? That makes me
> The best I can do is to implement it in the userspace datapath, unless
> you have a better idea. I've done that now.
The new version looks good with one little issue:
> + arp = (struct arp_eth_header *)skb_network_header(skb);
> + return (arp->ar_hrd != htons(ARPHRD_ETHER) ||
> + arp->ar_pro != htons(ETH_P_IP) ||
> + arp->ar_hln != ETH_ALEN ||
> + arp->ar_pln != 4 ||
> + !compare_ether_addr(arp->ar_sha, eth_hdr(skb)->h_source));
compare_ether_addr() returns zero on equality so this will have the
I know that you were waiting to hear more comments on this before
pushing but I think it is worth doing now. We've had a lot of
requests for this and it is definitely an improvement over what we
More information about the dev