Solaris Antispoof / Link Protection

July 18th, 2012 | Categories: Solaris, Technology

I’ve seen anti-spoofing mentioned on #illumos and #openindiana a few times but googling it turns up little information. Although I didn’t check it out until rmustacc‘s adviced me to do so regarding a KVM IPv6 issue I’m facing.

After asking around about it and and some further research it also seems to go by the name of Link Protection in the Oracle Solaris documentation.

I only found this out by actually figuring out what I had to set using dladm and then googling the parameter.

So what is it and do I need it?
Link protection protects you from zones or (k)vm’s that try to behave badly. For example a vm could set a different IP or try to change it’s MAC-address. In most cases you do not want this to happen.

I’m sold! How do I use it?
Well you can set different modes: ip-nospoof, dhcp-nospoof, mac-nospoof and restricted.
They can be used in any combination you want.

  1. ip-nospoof: limit outgoing traffic from source IP’s learned through DHCP or the allowed-ips property.
  2. mac-nospoof: prevents zone admin from changing the mac address.
  3. dhcp-nospoof: prevents Client ID/DUID spoofing for DHCP.
  4. restricted: only allows IPv4, IPv6 and ARP protocols.

You can configure this using dladm set-linkprop command. You can find some practical examples in the quick reference section below.

For some reason this is disabled by default in most distributions with the exception of SmartOS.

Quick Reference

Check the current configuration:

dladm show-linkprop -p protection,allowed-ips vnic0

Disable link protection:

dladm reset-linkprop -p protection vnic0

Enable anti MAC-spoofing:

dladm set-linkprop -p protection=mac-nospoof vnic0

Enable anti IP-spoofing:

dladm set-linkprop -p protection=ip-nospoof vnic0
dladm set-linkprop -p allowed-ips=172.16.30.75,172.16.20.75 vnic0

Enable anti Client ID/DUID-spoofing:

dladm set-linkprop -p protection=dhcp-nospoof vnic0

This can be further restricted using allowed-dhcp-cids in similar fashion as allowed-ips. If allowed-dhcp-cids is not set, the interface’s MAC will be used.

I haven’t tested this one. From what I’ve understood it is useless if you also have mac-nospoof set. Since you can’t use the incorrect MAC to spoof your Client ID with. (comments welcome)

Restrict traffic to IPv4,IPv6 and ARP:

dladm set-linkprop -p protection=restricted vnic0

Combining them:[1]

dladm set-linkprop -p protection=mac-nospoof,restricted vnic0

Hopefully this has been useful for you all!

Comments are closed.