@Tristan, the antispoofing rules (prior to 299021 which just merged) has permitted a number of types of spoofing attacks:
1. Source MAC spoofing -- this could allow an attacker to cause physical and virtual switches to learn an incorrect destination of MAC addresses allowing an attacker to intercept traffic destine to another instance on the local Neutron network. In the case of a shared multi-tenant network this allowed cross tenant traffic inception.
2. Source IP spoofing in IPv4 DHCP requests -- I'm not aware of an attack which would permit accessing another instances traffic, but could be used to mask the source of a DoS attack.
3. Source IP spoofing of IPv6 DHCP requests -- same as #2.
4. Source IP spoofing of ICMPv6 traffic -- this could allow an attacker to participate in neighbor discovery on the behalf of any other host on the local network, allowing it to receive traffic destine to another instance on the local Neutron network. Same multi tenant concerns as #1.
@Tristan, the antispoofing rules (prior to 299021 which just merged) has permitted a number of types of spoofing attacks:
1. Source MAC spoofing -- this could allow an attacker to cause physical and virtual switches to learn an incorrect destination of MAC addresses allowing an attacker to intercept traffic destine to another instance on the local Neutron network. In the case of a shared multi-tenant network this allowed cross tenant traffic inception.
2. Source IP spoofing in IPv4 DHCP requests -- I'm not aware of an attack which would permit accessing another instances traffic, but could be used to mask the source of a DoS attack.
3. Source IP spoofing of IPv6 DHCP requests -- same as #2.
4. Source IP spoofing of ICMPv6 traffic -- this could allow an attacker to participate in neighbor discovery on the behalf of any other host on the local network, allowing it to receive traffic destine to another instance on the local Neutron network. Same multi tenant concerns as #1.