This issue allows ARP cache poisoning attacks to be started from a guest VM to other VMs in the same network. This is a security issue, especially on shared networks.
This blueprint suggest that we utilize the ebtables tool to configure Ethernet-frame-level filtering, which prevents these spoofing packets to be sent by a VM.
With an ARP cache poisoning attack a device in the local network can impersonate someone else. Specifically, a device can claim ownership of an IP address, which it does not actually have.
The attacker sends out a gratuituous ARP response, in which their network interface (identified by MAC address) claims to be configured with a certain IP address. However, this might be someone else’s IP address. Other devices in the network update their ARP cache with the spoofed entry and will put the attacking device’s MAC address as the destination address of frames that are to be sent to the attacked IP address.
We propose to add an ‘ebtables manager’, which knows how to utilize the ebtables utility. This utility can be used to create Ethernet frame level filtering rules.
Whenever a port for a VM is created or deleted, we use the ebtables manager to update ebtables rules, which prevent the sending of spoofed ARP packets through this port.
Please note that the ebtables manager code is largely based on the work of Édouard Thuleau, who had submitted a patch (see ‘references’ section below).
This patch, however, did not make it into the release and was abandoned. We are now resurrecting much of this patch.
An updated version of this patch was submitted for Juno, but was rejected for various reasons.
The existing patch replaced some of the iptables-based filtering with new ebtables filters. Therefore, it changed quite a bit of the existing code in iptables_firewall.py. This was not appreciated, since this code was seen as brittle and in need of a re-write.
Therefore, we are now proposing that the changes to iptables code are kept to a minimum. We merely need to add a few small hooks in the iptables code, so that the ebtables manager code is invoked when a port is created or deleted. The ARP spoofing related rules are the same as in the previous patch, however none of the unrelated rules introduced by the previous patch are contained in this patch.
If at some later time the iptables code is going to be re-written, any hooks to the ebtables code can easily be ported over.
The ebtables manager code is run with the same privileges as the iptables code (root-wrap).
It improves security of VMs on shared networks.
The new code will be called whenever a VM port is created or deleted. The impact of calling the ebtables code is similar to the impact of the iptables code. It will be called in addition to the iptables code and does not replace it. The ebtables code is only touched when a port is created or deleted, no other time.
The ‘ebtables’ utility needs to be installed. This is normally available in various standard packages. On Debian, for example, it’s installed like this:
# apt-get install ebtables
In fact, the proposed patch is designed to have as little impact as possible. The existing code isn’t changed and both the iptables and ebtables code can be independently refactored without impacting each other.
It seems that iptables isn’t capable of performing such filtering and therefore can’t be used for this.
Another alternative is to do nothing: This is only an issue on shared networks. That’s a business decision, though, and it seems some people are quite eager to have this patch.
Not sure yet.
Funtional tests to show that the iptables and ebtables code work together properly.
The need for ebtables may be listed somewhere as a requirement.