Introduction ------------ In many virtualized setups today, it is common for the host administrator to grant exclusive access of a physical link or a vnic to a guest VM. This enables guests to benefit from traffic isolation and improved performance. The downside is that guests are allowed to generate any type of packet, even harmful ones, to the network. Link protection is a new mechanism for preventing potentially malicious or misbehaving guest VMs from sending harmful packets to the network. This feature provides protection against these basic threats: IP, DHCP and mac spoofing; and L2 frame spoofing. IP/DHCP/mac spoofing are commonly used by attackers for hijacking/eavesdropping communications between neighbours within the same LAN. Spoof protection of IP and mac addresses could thwart many variants of such attacks. L2 frame spoofing is often used by attackers for disrupting link layer operation or bypassing security. For example: fake bridge PDUs could cause misconfiguration of switches; packets with spoofed nested VLAN tags could be passed erroneously on to other supposedly isolated VLANs. One possible defence is to forbid the sending of non IP-related packets. This is usually acceptable for most VMs since most have no need for generating non-IP traffic. Unlike a traditional firewall, link protection does not support inbound filtering or customizable filtering rules. For users with such requirements, a firewall should be used instead. Link protection has the advantages of ease of use and performance over a firewall. At most two commands are needed to enable it: one for selecting a protection type, another for customizing it. Performance is better than that of a firewall because this feature is built-in and is more tightly integrated with the network stack. Proposed changes ---------------- A new link property 'protection' will be introduced. This property may have no values (the default) or one or more of the following: mac-nospoof MAC address anti-spoof. An outbound packet's source mac address must match the link's configured mac address. Non-matching packets will be dropped. If the link belongs to a zone, turning 'mac-nospoof' on will prevent the zone's owner from modifying the link's mac address. ip-nospoof IP address anti-spoof. This protection type works in conjunction with the link property 'allowed-ips'. 'allowed-ips' is a list containing IP v4/v6 addresses. This list is empty by default. Addresses that are implicitly in this list are: link local IPv6 address conforming to RFC2464; IP v4/v6 addresses learned from DHCP replies. An outbound IPv4 packet may pass if its source address is in 'allowed-ips'. An outbound ARP packet may pass if its sender protocol address is in 'allowed-ips' or is all-zeros and the packet type is ARP REQUEST. An outbound IPv6 packet may pass if these conditions are satisfied: -If packet is NDP (ICMPv6 type RS, RA, NS, NA, RD): If the source link layer address option exists and the packet type is RS/RA/NS, the source IPv6 address must be in 'allowed-ips'. If the source link layer address option does not exist and the packet is of type RS/NS, the source IPv6 address must be in 'allowed-ips' or is all-zeros. If the target link layer address option exists and the packet type is NA/RD, the source IPv6 address and ICMPv6 target address must be in 'allowed-ips'. -If packet is not NDP: Its source IPv6 address must be in 'allowed-ips'. dhcp-nospoof DHCP client ID (DUID for DHCPv6) and hardware address anti-spoof. This protection type works in conjunction with the link property 'allowed-dhcp-cids'. Items in the 'allowed-dhcp-cids' list should be formatted in the same way as the CLIENT_ID field in the /etc/default/dhcpagent file. The only difference is that '.' should be used in place of ',' when specifying DUIDs. See dhcpagent(1M) for details. An outbound DHCP(v4/v6) packet may pass only if these conditions are satisfied: -If 'allowed-dhcp-cids' is not configured and the packet type is: DHCPv4, the client ID field must match the configured mac address. DHCPv6, the DUID must be of type 1 or 3 and the link layer address part of the DUID must match the configured mac address. -If 'allowed-dhcp-cids' is configured and the packet type is: DHCPv4, the client ID field must match one of the IDs on this list or the configured mac address. DHCPv6, the DUID field must match one of the IDs on this list or, the DUID must be of type 1 or 3 and the link layer address part of the DUID matches the configured mac address. -The client hardware address field (for DHCPv4) must always match the configured mac address. restricted This protection restricts outgoing packet types to just IPv4, IPv6, and ARP. This is the defence for spoofed L2 frames as discussed in the introduction. If a packet is dropped due to link protection, it will be kept track of using one of the following kernel statistics: mac_spoofed, ip_spoofed, dhcp_spoofed, restricted. These statistics will be of class 'net' and name 'mac' and will be available on each mac instance. The module name and instance number will correspond to the mac instance. The dladm show-linkprop sub-command will be modified to display link properties in a multi-line format. This allows multi-valued properties to be displayed without overrunning the VALUE column. This change affects only regular user output and not parseable output. Usage Examples -------------- To enable link protection: dladm set-linkprop \ -p protection=ip-nospoof,dhcp-nospoof,mac-nospoof,restricted vnic0 To disable link protection: dladm reset-linkprop -p protection vnic0 Modifying the 'allowed-ips' and 'allowed-dhcp-cids': dladm set-linkprop -p allowed-ips=10.0.0.1,10.0.0.2 vnic0 dladm set-linkprop -p allowed-dhcp-cids=hello,test123 vnic0 Displaying the configuration: dladm show-linkprop -p protection,allowed-ips,allowed-dhcp-cids vnic0 LINK PROPERTY PERM VALUE DEFAULT POSSIBLE vnic0 protection rw ip-nospoof, -- -- dhcp-nospoof, mac-nospoof, restricted vnic0 allowed-ips rw 10.0.0.1, -- -- 10.0.0.2 vnic0 allowed-dhcp-cids rw hello,test123 -- -- Commitment Levels ----------------- Interfaces Level ---------- ----- Link properties: uncommitted protection, allowed-ips, allowed-dhcp-cids kstats (::::): volatile net:::mac:mac_spoofed, net:::mac:ip_spoofed, net:::mac:dhcp_spoofed, net:::mac:restricted The requested binding is minor. Phased Delivery --------------- Due to time and resource constraints, this project will be delivered in two phases: Phase I: mac-nospoof, ip-nospoof (IPv4 and static addresses only), restricted Phase II: ip-nospoof (IPv6 and DHCP(v4/v6) configured addresses), dhcp-nospoof