HowTo Configure MAC Anti-Spoofing for VMs over SR-IOV

Version 10

    This post discusses and shows the configuration for MAC anti-spoofing for VMs configured over SR-IOV using ConnectX-4 adapters.

    This feature is supported on MLNX_OFED version 3.3, and later.

     

    References

     

    Overview

     

    Normally MAC addresses are unique with fixed addresses -- they do not change. MAC address spoofing (or MAC spoofing) is a method of altering the MAC address for a variety of reasons. For some cases such modifications are legitimate, but in other cases they are attempts to bypass or abuse security mechanisms or hide a possible attacker.  In order to protect from MAC address spoofing on VMs, we need a way to check for possible MAC spoofing when sending any VM traffic.

    The SR-IOV MAC address anti-spoofing  (a.k.a MAC spoofcheck) feature protects from malicious VM MAC address spoofing.

     

    While the Network Administrator runs the hypervisor to assign a MAC address to the VM he or she is configuring anti-spoofing for the VF of that VM, which prevents users running the VM from altering the given MAC addresses of that VM.

     

    Configuration

     

    As a prerequisite, follow HowTo Configure SR-IOV for ConnectX-4 with KVM (Ethernet). Make sure that you have one VM with a configured MAC address.

    In this example the admin gave the VM located on VF-0 the MAC address of 00:22:33:44:55:66.

     

    Note: By default spoof checking is disabled (set to "spoof checking off").

    # ip link show

    ...

    9: ens785f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq state UP mode DEFAULT qlen 1000

        link/ether e4:1d:2d:f2:a4:89 brd ff:ff:ff:ff:ff:ff

        vf 0 MAC 00:22:33:44:55:66, spoof checking off, link-state auto

        vf 1 MAC 00:00:00:00:00:00, spoof checking off, link-state auto

        vf 2 MAC 00:00:00:00:00:00, spoof checking off, link-state auto

        vf 3 MAC 00:00:00:00:00:00, spoof checking off, link-state auto

    ...

     

    There are two options to enable or disable MAC spoofing.

    Option 1:

    Use the standard ip link command (supported in Kernel version 3.10, and later) to enable MAC anti spoofing:

    # ip link set ens785f1 vf 0 spoofchk on

     

    Disable MAC anti-spoofing by turning spoof checking off.

    # ip link set ens785f1 vf 0 spoofchk off

     

    For other ip link examples, refer to  HowTo Set Virtual Network Attributes on a Virtual Function (SR-IOV).

     

    Option 2:

    Use the echo on or echo off commands with the file located under /sys/class/net/<ETH_IF_NAME> /device/sriov/<VF index>/spoofcheck.

    For example, enable spoof checking as follows:

    # echo "ON" > /sys/class/net/ens785f1/device/sriov/0/spoofcheck

     

    Note: This configuration is nor persistent (does not survive driver restarts).

     

    Verification

    Once you enable spoof checking, check the configuration on the hypervisor interface using the ip link show command.

    # ip link set ens785f1 vf 0 spoofchk on

     

    # ip link show

    ...

    9: ens785f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq state UP mode DEFAULT qlen 1000

        link/ether e4:1d:2d:f2:a4:89 brd ff:ff:ff:ff:ff:ff

       vf 0 MAC 00:22:33:44:55:66, spoof checking on, link-state auto

        vf 1 MAC 00:00:00:00:00:00, spoof checking off, link-state auto

        vf 2 MAC 00:00:00:00:00:00, spoof checking off, link-state auto

        vf 3 MAC 00:00:00:00:00:00, spoof checking off, link-state auto

    ...

     

    To see if spoof checking is on, change the MAC address on the VM and make sure that traffic does not reach that VM.