Ask Your Question
8

IP & mac-spoofing in openstack

asked 2014-04-08 00:10:09 -0600

SGPJ gravatar image

updated 2014-05-09 03:41:58 -0600

By the way, the following is my detailed operation log about forcible ip spoofing in Openstack:

But how to disable mac-spoofing in openstack?

This is localrc I used. I disabled Neutron security-groups.

HOST_IP=127.0.0.1
SERVICE_HOST=127.0.0.1
disable_service n-net
enable_service neutron q-svc q-agt q-l3 q-dhcp q-meta q-lbaas
enable_service ryu

FLOATING_RANGE=192.168.1.0/24
PUBLIC_NETWORK_GATEWAY=192.168.1.1

Q_HOST=$SERVICE_HOST
Q_USE_SECGROUP=False
Q_PLUGIN=ryu

MYSQL_HOST=$SERVICE_HOST
RABBIT_HOST=$SERVICE_HOST
GLANCE_HOSTPORT=$SERVICE_HOST:9292
KEYSTONE_AUTH_HOST=$SERVICE_HOST
KEYSTONE_SERVICE_HOST=$SERVICE_HOST
RYU_API_HOST=$SERVICE_HOST
RYU_OFP_HOST=$SERVICE_HOST

MYSQL_PASSWORD=mysql
RABBIT_PASSWORD=rabbit
SERVICE_TOKEN=service
SERVICE_PASSWORD=admin
ADMIN_PASSWORD=admin

RYU_APPS=ryu.app.gre_tunnel,ryu.app.quantum_adapter,ryu.app.rest,ryu.app.rest_conf_switch,ryu.app.rest_tunnel,ryu.app.tunnel_port_updater,ryu.app.rest_quantum

After run devstack, I created a network for an investigation of communication. This is needed to keep the default network for SSH access to VMs. (@HOST means the operation on a host running devstack. @VM2 means the operation on vm2)

@Host - Created a new network :

$ neutron net-create private2

+----------------+--------------------------------------+
| Field          | Value                                |
+----------------+--------------------------------------+
| admin_state_up | True                                |
| id            | 1bccc324-618a-4967-b07b-aa6d56e61372 |
| name          | private2                            |
| shared        | False                                |
| status        | ACTIVE                              |
| subnets        |                                      |
| tenant_id      | 813c46c214b143f5a9b8d5fa5c7026b4    |
+----------------+--------------------------------------+

Created a new subnet:

$ neutron subnet-create --name subnet-private2 --ip-version 4 --gateway 10.1.0.1 private2 10.1.0.0/24
+------------------+--------------------------------------------+
| Field            | Value                                      |
+------------------+--------------------------------------------+
| allocation_pools | {"start": "10.1.0.2", "end": "10.1.0.254"} |
| cidr            | 10.1.0.0/24                                |
| dns_nameservers  |                                            |
| enable_dhcp      | True                                      |
| gateway_ip      | 10.1.0.1                                  |
| host_routes      |                                            |
| id              | f501fc25-02b2-4716-bd9d-fa2f438ac5f2      |
| ip_version      | 4                                          |
| name            | subnet-private2                            |
| network_id      | 1bccc324-618a-4967-b07b-aa6d56e61372      |
| tenant_id        | 813c46c214b143f5a9b8d5fa5c7026b4          |
+------------------+--------------------------------------------+
$ neutron net-list
+--------------------------------------+----------+-----------------------------------------------------+
| id                                  | name    | subnets                                                               |
+--------------------------------------+----------+-----------------------------------------------------+
| 1bccc324-618a-4967-b07b-aa6d56e61372 | private2 | f501fc25-02b2-4716-bd9d-fa2f438ac5f2 10.1.0.0/24    |
| aa9e8a37-4665-4e95-8b54-18fe15e2a464 | private  | 01319da0-f766-4d8c-a42f-0661f2a40069 10.0.0.0/24    |
| ebfcc3ff-870a-4342-a454-24a89fbcccbf | public  | 2004f838-9dd8-4b5f-b792-5a69da6de888 192.168.1.0/24 |
+--------------------------------------+----------+-----------------------------------------------------+----------------------------------------

@HOST - Then, I created two VM which has two NIC.

$ nova boot --flavor m1.nano --image bf452563-2a66-480a-9bd5-f07dbab9217f --nic net-id=aa9e8a37-4665-4e95-8b54-18fe15e2a464 --nic net-id=1bccc324-618a-4967-b07b-aa6d56e61372 vm1
$ nova boot --flavor m1.nano --image bf452563-2a66-480a-9bd5-f07dbab9217f --nic net-id=aa9e8a37-4665-4e95-8b54-18fe15e2a464 --nic net-id=1bccc324-618a-4967-b07b-aa6d56e61372 vm2

@HOST - Allow ICMP traffic. Neutron's security groups had been disabled but Nova's is available.

$ nova secgroup-add-rule default tcp 1 65535 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp        | 1        | 65535  | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+
$ nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

Create Floating IP and associate to VM's port connected to the default network for SSH login. @HOST - Created a new floatingip:

$ neutron floatingip-create public

+---------------------+--------------------------------------+
| Field              | Value                                |
+---------------------+--------------------------------------+
| fixed_ip_address    |                                      |
| floating_ip_address | 192.168.1.3                          |
| floating_network_id | ebfcc3ff-870a-4342-a454-24a89fbcccbf |
| id                  | 56cdf045-4648-4993-a896-6c409d91a9e3 |
| port_id            |                                      |
| router_id          |                                      |
| tenant_id          | 813c46c214b143f5a9b8d5fa5c7026b4    |
+---------------------+--------------------------------------+

Created a new floatingip:

$ neutron floatingip-create public
+---------------------+--------------------------------------+
| Field              | Value                                |
+---------------------+--------------------------------------+
| fixed_ip_address    |                                      |
| floating_ip_address | 192.168.1.4                          |
| floating_network_id | ebfcc3ff-870a-4342-a454-24a89fbcccbf |
| id                  | 60054857-6129-4b0b-97f5-66872f7877e3 |
| port_id            |                                      |
| router_id          |                                      |
| tenant_id          | 813c46c214b143f5a9b8d5fa5c7026b4    |
+---------------------+--------------------------------------+

$ neutron port-list
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
| id                                  | name | mac_address      |
fixed_ips
            |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
| 1fdaab5f-cc2c-43e9-83d5-6bf29cf34f45 |      | fa:16:3e:c1:85:21 | {"subnet_id": "f501fc25-02b2-4716-bd9d-fa2f438ac5f2", "ip_address": "10.1.0.2"}    |
| 20c0b808-83f3-4ae4-8d9a-bd8e078f7621 |      | fa:16:3e:75:97:8a | {"subnet_id": "f501fc25-02b2-4716-bd9d-fa2f438ac5f2", "ip_address":"10.1.0.4"}    |
| 41d18013-4902-470b-82c5-05534f2151a6 |      | fa:16:3e:c6:c0:83 | {"subnet_id": "2004f838-9dd8-4b5f-b792-5a69da6de888", "ip_address":"192.168.1.4"} |
| 4ce8dab2-2adf-4421-81c9-f3f66b0a6f2f |      | fa:16:3e:ad:f8:53 ...
(more)
edit retag flag offensive close merge delete

Comments

Hi, In your example, you are using nwfilter to deal with ip-spoofing. But in my devstack based stable ice-house, I couldn't find out "nova-base" nwfilter. I did a bit of googling and found out, security-group features has implemented in iptables by default Can you give similar method for iptable.

prat gravatar imageprat ( 2014-10-08 02:27:41 -0600 )edit

1 answer

Sort by ยป oldest newest most voted
3

answered 2014-11-10 07:20:39 -0600

bishoy gravatar image

you can disable ip spoofing filter for a specific port only and by determining what network to spoof, for example:

[bishoy@krusty ~]$ neutron port-show 711713b8-2f6e-4ba3-9e89-20212ff679ee +-----------------------+---------------------------------------------------------------------------------------+ | Field | Value | +-----------------------+---------------------------------------------------------------------------------------+ | admin_state_up | True | | allowed_address_pairs | | | binding:vnic_type | normal | | device_id | 1e70c468-6a24-424a-82ce-12c4739e69e8 | | device_owner | compute:default-az | | extra_dhcp_opts | | | fixed_ips | {"subnet_id": "22a86e04-7492-4e1b-abf2-ae84223347a3", "ip_address": "10.141.163.254"} | | id | 711713b8-2f6e-4ba3-9e89-20212ff679ee | | mac_address | fa:16:3e:7b:fe:46 | | name | | | network_id | 5dcf2974-48ee-4742-a040-5c15eead0ed6 | | security_groups | 93551f49-30e7-4a45-bad7-41a05a62c6b7 | | status | ACTIVE | | tenant_id | 372f520953bd417cb6ecbbe598e0f018 | +-----------------------+---------------------------------------------------------------------------------------+ [bishoy@krusty ~]$

this parameter "allowed_address_pairs" can be used to add a network allowed to spoof, You can edit the port by command neutron port-update neutron port-update <port-uuid> --allowed-address-pairs type=dict list=true mac_address=<mac_address>,ip_address=<ip_cidr>

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

8 followers

Stats

Asked: 2014-04-08 00:10:09 -0600

Seen: 5,288 times

Last updated: Nov 10 '14