Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
PROXY_ARP
Marian HackMan Marinov <mm@1h.com>
Normal network
Add a router to the bunch
With Containers/VM
Host MachineHost Machine
Why not use OpenVswitch, brctl or even MACVLAN
● Linux bridge is limited to around 200Mbit/s
● OpenVswitch eats a lot of R...
proxy_arp issues
● stealing MACs of neighboring machines
– arptables helps with that
– static ARP entries speedup the resp...
# arping -I eth0 -U 192.168.0.10
does not work :(
# arping -I eth0 -A 192.168.0.10
does not work :(
Solution - arp stealing
# arptables -P OUT DROP
# arptables -I OUT -j ACCEPT -o eth0 
-z XX:XX:XX.. -s 192.168.0.100
# arp...
THANK YOUUUUTHANK YOUUUU
Marian HackMan Marinov <mm@1h.com>
Proxy arp
Proxy arp
Proxy arp
Proxy arp
Proxy arp
Upcoming SlideShare
Loading in …5
×

Proxy arp

756 views

Published on

the return of proxy_arp

Published in: Engineering
  • Be the first to comment

  • Be the first to like this

Proxy arp

  1. 1. PROXY_ARP Marian HackMan Marinov <mm@1h.com>
  2. 2. Normal network
  3. 3. Add a router to the bunch
  4. 4. With Containers/VM Host MachineHost Machine
  5. 5. Why not use OpenVswitch, brctl or even MACVLAN ● Linux bridge is limited to around 200Mbit/s ● OpenVswitch eats a lot of RAM and CPU. When you receive DDoS your whole system goes down ● both OpenVswitch and MACVLAN do not allow you to use iptables/ebtables and leak broadcasts
  6. 6. proxy_arp issues ● stealing MACs of neighboring machines – arptables helps with that – static ARP entries speedup the responses and also help with the security ● requires static routing for each container/VM – but you can solve that with BIRD ● gratuitous and unsolicited ARP requests simply don't work – that is why I wrote arpsniff: https://github.com/Kyup-com/arpsniff
  7. 7. # arping -I eth0 -U 192.168.0.10 does not work :( # arping -I eth0 -A 192.168.0.10 does not work :(
  8. 8. Solution - arp stealing # arptables -P OUT DROP # arptables -I OUT -j ACCEPT -o eth0 -z XX:XX:XX.. -s 192.168.0.100 # arptables -I OUT -j ACCEPT -o eth0 -z XX:XX:XX.. -s 192.168.0.10 # arptables -I OUT -j ACCEPT -o veth0
  9. 9. THANK YOUUUUTHANK YOUUUU Marian HackMan Marinov <mm@1h.com>

×