Prevent IP Address Stealing

[justinestruch]

Hello I am wondering if there is a way to prevent instances from stealing or using IP addresses that are not assigned to the instance by cloudstack? For example, I tested by creating a new shared network with Public ips in the 1.1.1.x/24 range. I then created an instance and assigned it to this network. The instance was assigned 1.1.1.5. Then on the instance I manually assigned 1.1.1.6 and this worked fine.

I'm looking for a way to stop this with some sort of arp watch or ip source guard. This is a major concern as customers could steal each other's public IPs which is not good. I'm using Cloudstack 4.20.1 with Vmware Vcenter and esxi 8.0U3. Thanks.

[kiranchavala]

@justinestruch i think this is beyond cloudstack control as it user driven operation

There is a quarantine feature in Cloudstack, if you are interested to block certain public ip address

#7369
#7378

[justinestruch]

Hi @kiranchavala thanks for this but I'm looking more for a feature that @rajujith mentioned.

[rajujith]

@justinestruch If you use a shared network & security group, anti-IP spoofing is a standard feature, but you need to use KVM.

https://docs.cloudstack.apache.org/en/4.20.1.0/adminguide/networking/security_groups.html , https://www.youtube.com/watch?v=NU1b7x2HO_E

[justinestruch]

Hi @rajujith thank you the anti Ip spoofing with security groups looks to be exactly what I was looking for. Too bad it doesn't work with VMware. I'll keep researching but I don't think ESXI has this feature natively unless you use NSX which we are not.