Wednesday, 5 October 2011

vSwitch Networking Security Testing - Part 2 MAC Address Changes

In ESXi 5.0 Networking Security, each vSwitch has the following Security Policy Tab.


  • Promiscuous Mode: Accept or Reject
  • MAC Address Changes: Accept or Reject
  • Forged Transmits: Accept or Reject
In part 2 of this test lab, I am exploring the MAC Address Changes setting and the effect of setting it to Accept or Reject.

A Windows 2008 R2 Server VM is installed in the ESXi 5.0 Server and a Port Group is created for this VM.


Under the help menu of "Edit Security Policy for a vSphere Standard Switch".  It state the difference between these two setting
  • MAC Address Changes
    • Reject - If you set the MAC Address Changes to Reject and the guest operating system changes the MAC address of the adapter to anything other than what is in the .vmx configuration file, all inbound frames are dropped.
      If the Guest OS changes the MAC address back to match the MAC address in the .vmx configuration file, inbound frames are passed again.
    • Accept - Changing the MAC address from the Guest OS has the intended effect: frames to the new MAC address are received.

  • Forged Transmits 
    • Reject - Any outbound frame with a source MAC address that is different from the one currently set on the adapter are dropped.
    • Accept - No filtering is performed and all outbound frames are passed.
After reading this, I am totally confused.  My understanding from the statement is that if you change the MAC Address of the vNIC of the Guest VM, "Mac Address Changes: Reject" drop inbound traffic and "Forged Transmits: Reject" drop Outbound traffic.

The confusion is, reference to where? or from which perspective?  While doing networking for so many years, I came to understand that when we come to "Inbound" traffic and "Outbound" traffic, we must think like a Router or Switch.  If I am a Router, any traffic that is coming into me is an "Inbound" traffic, the traffic can be from any interfaces.  That goes the same to any traffic that is going out of me, which is an "Outbound" traffic, it can also be going out of any Interfaces.  That goes the same if your are a Server.

But in the case of a Server it's "Inbound" traffic is the Physical Switch "Outbound" traffic, and the Server "Outbound" traffic is the Physical Switch "Inbound" traffic.  When we read the traffic, we have to know where we stand.  Inside the Server? or Inside the Switch.  That is what I called perspective of things.

The problem with the above statement is that it does not state the "Inbound" and "Outbound" is from which perspective.  From the virtual machine or from the virtual switch. 

In any case, I am doing some test to find out.




Test Environment and Verification

In the Network Setting of the VM, it state that my current MAC Address is 00:50:56:85:2b:28.



By downloading the .vmx of the virtual machine, it state that my ethernet0.generateAddress is 00:50:56:85:2b:28. 

By running ipconfig/all in my virtual machine, it state that my ethernet0  ipconfig/all downloading the .vmx of the virtual machine, it state that my ethernet0.generateAddress is 00:50:56:85:2b:28. 




Changing the Virtual Machine MAC Address

Changing the virtual machine MAC Address to 00:50:56:85:2b:EE.


Verify that the MAC Address has changed.




Test Result
After changing the MAC Address of the virtual machine, the virtual machine network stop responding. 


Rebooted the virtual machine and the network is still not responding.  Noted the following behaviour.
  • The Network Media State is Enabled
  • Network packets in the virtual machine is still sending
  • No network packets received for the virtual machine.



Conclusion on MAC Address Changes

By using Wireshark, nothing is captured.  But when I do a ping from the VM to it's default Gateway, the following is captured.


Yes, to the operating system, the packet is sent, but it did not get out of the vNIC.  When I do a sniff on the vSwitch, the ping packet is not captured.  Hence, we can conclude that the packet did not get out of the vNIC. 

To test further, by changing the Promiscuous Mode to Accept while the MAC Address Changes is set to Reject and Forged Transmits is set to Accept.  No Packet is captured.  Hence, we can conclude that no external traffic is entering the vNIC as well.


To recap the statement on MAC Address Changes

  • Reject - If you set the MAC Address Changes to Reject and the guest operating system changes the MAC address of the adapter to anything other than what is in the .vmx configuration file, all inbound frames (from external towards the vNIC) are dropped.

    All outbound frames from the guest operating system will be transmitted (to the guest operating system perspective) but will be drop by the vNIC/vSwitch! 
My additional remarks in red to correct the statement.

My conclusion is "if you set the MAC Address Changes to Reject and the guest operating system changes the MAC address of the adapter to anything other than what is in the .vmx configuration file, all traffic originated from the guest operating system or all external traffic toward the guest operating system vNIC will be drop by the vNIC/vSwitch that the virtual machine is connected to". 


Changing the Forged Transmit to Reject

By changing the Forged Transmit to Reject and changing the virtual machine MAC address, the following is observed.
  • The Network Media State is Enabled.
  • No network packets can be sent from the virutal machine.
  • No network packets received for the virtual machine.




Conclusion on Forged Transmit to Reject


By using Wireshark, some network broadcast packet is captured.  Yes, this means that external traffic from vSwitch to the vNIC is not blocked.   And the answer to why the Received packet is still pointing at 120 is because that this broadcast packet is not for the guest operating system, hence no count to the packet received counter (in Bytes) to the guest operating system.



Done a ping test and managed to capture the ping test in the guest vNIC.


Done a sniff at the vSwitch level.  Did not observe the ping packet.  Therefore, the packet never reach the vSwitch.


To recap the statement on Forged Transmits
  • Reject - Any outbound frame with a source MAC address that is different from the one currently set on the adapter are dropped at the vNIC.

    Outbound frame refer to packet sending out from the guest operating system to the vSwitch.

Test Summary

I don't understand why vmware implement "MAC Address Changes" and "Forged Transmits" which created some confusion.  I think if we are able to combine both together into one "MAC Address Changes", the picture will be clearer.  But too bad, now we will have to leave with both.  

What most people will do if they are changing the MAC Address of the guest operating system from the default(auto gen), they will have to enable both setting to Accept. Is a fact, both must be set to Accept for any MAC Address changes to work.  So if that is the case, why split the traffic to Inbound and Outbound?  May be there are some other applications of such implementation that require one setting to Accept and one setting to Reject.  But I just can't think of any.

I can't tell in this case which is the component that drop the traffic.  It could be the vNIC and it could be the vSwitch.  I can only figure out that it happen some where between the vNIC and the vSwitch.
      guest OS <a----b>  vNIC <c-----d>  vSwitch <e----f> pNIC

The traffic either drop at point "c" or at point "d".  If it drop at point "c" that will means the vNIC drop the packet.  If it drop at point "d", it will means the vSwitch drop the packet.  I can't prove further on this as there are no ways that I could sniff the traffic inbetween point c and d.

Nevertheless, be it be point c or point d, based on my test we are able to draw some conclusion based on the behaviour.

When MAC Address Changes is set to Reject.  And when the MAC address that is different from the one currently set on the adapter by the .vmx file,
  • all outgoing traffic from the guest operating system will be drop.
  • all incoming traffic to the guest operating system will be drop.    
  • the guest vNIC is still enabled and connnected.
When Forged Transmits is set to Reject.  And when the MAC address that is different from the one currently sent on the adapter by the .vmx file,
  • all outgoing traffic from the guest operating system will be drop.
  • all incoming traffic to the guest operating system is accepted.
  • the guest vNIC is still enabled and connected.

In short,

MAC Address Changes set to Reject  - vNIC drop all traffic.
Forged Transmit set to Reject             - vNIC drop outgoing traffic only.













1 comment:

  1. Hi

    I did the same thing you did here.

    In my case, Forged Transmit set to Reject = vNIC drop all traffic

    ReplyDelete