NDP and ebtables

NDP and ebtables

[Jonathan Tripathy]

Hi Everyone,

I'm just trailing out ipv6 on my network. Currently, all my bridge ports 
are protected from MAC address spoofing by using ebtables:

/usr/local/sbin/ebtables -I FORWARD -p ARP -o "$vif" -j ACCEPT
/usr/local/sbin/ebtables -I FORWARD -i "$vif" -s "$mac" -j ACCEPT
/usr/local/sbin/ebtables -I FORWARD -o "$vif" -d "$mac" -j ACCEPT

As you can see above, I allow all ARP packets to flow to the host 
(who-has). This allows ARP resolution to work. Is-at works at the source 
MAC address is set in the frame.

However, adding IPv6 to the mix is a little trickier. As it turns out, 
IPv6 doesn't use ARP, but uses NDP.

Is there any way to make NDP work with ebtables, but still preventing 
MAC address spoofing?

Many Thanks

Re: NDP and ebtables

[Pascal Hambourg]

Hello,

Jonathan Tripathy a écrit :
> 
> I'm just trailing out ipv6 on my network. Currently, all my bridge ports 
> are protected from MAC address spoofing by using ebtables:
> 
> /usr/local/sbin/ebtables -I FORWARD -p ARP -o "$vif" -j ACCEPT
> /usr/local/sbin/ebtables -I FORWARD -i "$vif" -s "$mac" -j ACCEPT
> /usr/local/sbin/ebtables -I FORWARD -o "$vif" -d "$mac" -j ACCEPT
> 
> As you can see above, I allow all ARP packets to flow to the host 
> (who-has). This allows ARP resolution to work. Is-at works at the source 
> MAC address is set in the frame.
> 
> However, adding IPv6 to the mix is a little trickier. As it turns out, 
> IPv6 doesn't use ARP, but uses NDP.
> 
> Is there any way to make NDP work with ebtables, but still preventing 
> MAC address spoofing?

Sure : don't filter on the destination address, or at least accept
related multicast addresses (see "ip -f link maddr" on the host).

Spoofing is about the source, not the destination. If the bridge code
decides to forward a packet to some port even when the destination
address is not the address of a host connected to that port, it has some
reason to do so :
- the destination is multicast of broadcast,
- the destination is unicast but unknown, thus treated as broadcast.

You can safely drop in the latter case, not in the former.

Note that your 3rd rule accepts packets from any source address, thus
not preventing spoofing.

Re: NDP and ebtables

[Jonathan Tripathy]

On 29/08/10 15:51, Pascal Hambourg wrote:
> Hello,
>
> Jonathan Tripathy a écrit :
>    
>> I'm just trailing out ipv6 on my network. Currently, all my bridge ports
>> are protected from MAC address spoofing by using ebtables:
>>
>> /usr/local/sbin/ebtables -I FORWARD -p ARP -o "$vif" -j ACCEPT
>> /usr/local/sbin/ebtables -I FORWARD -i "$vif" -s "$mac" -j ACCEPT
>> /usr/local/sbin/ebtables -I FORWARD -o "$vif" -d "$mac" -j ACCEPT
>>
>> As you can see above, I allow all ARP packets to flow to the host
>> (who-has). This allows ARP resolution to work. Is-at works at the source
>> MAC address is set in the frame.
>>
>> However, adding IPv6 to the mix is a little trickier. As it turns out,
>> IPv6 doesn't use ARP, but uses NDP.
>>
>> Is there any way to make NDP work with ebtables, but still preventing
>> MAC address spoofing?
>>      
> Sure : don't filter on the destination address, or at least accept
> related multicast addresses (see "ip -f link maddr" on the host).
>
> Spoofing is about the source, not the destination. If the bridge code
> decides to forward a packet to some port even when the destination
> address is not the address of a host connected to that port, it has some
> reason to do so :
> - the destination is multicast of broadcast,
> - the destination is unicast but unknown, thus treated as broadcast.
>
> You can safely drop in the latter case, not in the former.
>
> Note that your 3rd rule accepts packets from any source address, thus
> not preventing spoofing.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>    

Hi Pascal,

Well spotted about my 3rd rule above!

So, do you think I should just have my second rule then? The thing is 
though, is that bridges are know to "broadcast" all traffic everywhere 
for a few seconds when their configuration changes. I don't really want 
this to happen. Can you please help me with some rules to prevent yet, 
and also stop spoofing?

Thanks

Re: NDP and ebtables

[Jonathan Tripathy]

On 29/08/10 18:22, Jonathan Tripathy wrote:
>
> On 29/08/10 15:51, Pascal Hambourg wrote:
>> Hello,
>>
>> Jonathan Tripathy a écrit :
>>> I'm just trailing out ipv6 on my network. Currently, all my bridge 
>>> ports
>>> are protected from MAC address spoofing by using ebtables:
>>>
>>> /usr/local/sbin/ebtables -I FORWARD -p ARP -o "$vif" -j ACCEPT
>>> /usr/local/sbin/ebtables -I FORWARD -i "$vif" -s "$mac" -j ACCEPT
>>> /usr/local/sbin/ebtables -I FORWARD -o "$vif" -d "$mac" -j ACCEPT
>>>
>>> As you can see above, I allow all ARP packets to flow to the host
>>> (who-has). This allows ARP resolution to work. Is-at works at the 
>>> source
>>> MAC address is set in the frame.
>>>
>>> However, adding IPv6 to the mix is a little trickier. As it turns out,
>>> IPv6 doesn't use ARP, but uses NDP.
>>>
>>> Is there any way to make NDP work with ebtables, but still preventing
>>> MAC address spoofing?
>> Sure : don't filter on the destination address, or at least accept
>> related multicast addresses (see "ip -f link maddr" on the host).
>>
>> Spoofing is about the source, not the destination. If the bridge code
>> decides to forward a packet to some port even when the destination
>> address is not the address of a host connected to that port, it has some
>> reason to do so :
>> - the destination is multicast of broadcast,
>> - the destination is unicast but unknown, thus treated as broadcast.
>>
>> You can safely drop in the latter case, not in the former.
>>
>> Note that your 3rd rule accepts packets from any source address, thus
>> not preventing spoofing.
>> -- 
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
> Hi Pascal,
>
> Well spotted about my 3rd rule above!
>
> So, do you think I should just have my second rule then? The thing is 
> though, is that bridges are know to "broadcast" all traffic everywhere 
> for a few seconds when their configuration changes. I don't really 
> want this to happen. Can you please help me with some rules to prevent 
> yet, and also stop spoofing?
>
>
I have an idea!
How about something like this:

/usr/local/sbin/ebtables -N OUT
/usr/local/sbin/ebtables -P OUT DROP
/usr/local/sbin/ebtables -I OUT -o "$vif" -d "$mac" -j ACCEPT
/usr/local/sbin/ebtables -I OUT -p ARP -o "$vif" -j ACCEPT

/usr/local/sbin/ebtables -I FORWARD -i "$vif" -s "$mac" -j OUT

Woudn't that work nicely? That is, stop source address spoofing, as well 
as make sure that outgoing traffic is set for the correct MAC address..
I appreciate that my above rules would block all multicast/broadcast 
traffic (except ARP), however since this is in a hosting environment, 
that's probably ok isn't it?

Re: NDP and ebtables

[Pascal Hambourg]

Jonathan Tripathy a écrit :
>>
>> So, do you think I should just have my second rule then? The thing is 
>> though, is that bridges are know to "broadcast" all traffic everywhere 
>> for a few seconds when their configuration changes. I don't really 
>> want this to happen. Can you please help me with some rules to prevent 
>> yet, and also stop spoofing?
>>
> How about something like this:
> 
> /usr/local/sbin/ebtables -N OUT
> /usr/local/sbin/ebtables -P OUT DROP
> /usr/local/sbin/ebtables -I OUT -o "$vif" -d "$mac" -j ACCEPT
> /usr/local/sbin/ebtables -I OUT -p ARP -o "$vif" -j ACCEPT
> 
> /usr/local/sbin/ebtables -I FORWARD -i "$vif" -s "$mac" -j OUT
> 
> Woudn't that work nicely?

I guess so, except for IPv6 NDP (see below).
Note that you don't need a separate ARP rule for each port.

> That is, stop source address spoofing, as well 
> as make sure that outgoing traffic is set for the correct MAC address..

> I appreciate that my above rules would block all multicast/broadcast 
> traffic (except ARP), however since this is in a hosting environment, 
> that's probably ok isn't it?

NDP uses multicast and will break if you drop all multicast. You can
however accept only the multicast addresses the host listens to (see my
first reply for how to get the list).