Is private networking secure against ARP/IP spoof attacks?

October 26, 2017 429 views
Networking Security

I'm wondering whether I can expect private networking to protect against ARP spoofing attacks (whether it's validating that noone is claiming an IP that isn't theirs on the eth1 network).

On the plus side, on AMS3 I don't see any arp requests for other hosts being broadcasted when I'm listening to the private network - I only see direct requests. This tells me that there's at least some sort of filtering in place.

On the minus side, there are posts like https://www.peerlyst.com/posts/arp-spoofing-docker-containers-philippe-bogaerts - I'm not about to replicate that without requesting permission first, but it looks like the filtering isn't perfect.

There are a lot of posts out there recommending setting up iptables for the DO private network, which is sound advice in itself, but will not suffice if ARP spoofing is possible, as you can't trust an IP address on the local subnet if people can mess with ARP. DO itself seems to recommend iptables, so you would think they assume ARP to be secure, but then there's the peerlyst.com guy's article

So my question is:

  • Does DO actively try to prevent ARP spoofing on the private network? (Can I trust IP/ARP mapping)
  • Does DO promise to prevent ARP spoofing where possible, or is it more a 'reasonable effort' thing ?

I think the bottom line is.. either we can trust the ARP filtering, and then iptables are good enough. Or we can't, and the Internet should just delete all articles about private networking & firewalls, and just tell us to move completely to VPNs or other forms of encrypted + authenticated traffic, even on the private networks.

PS: I've read https://www.digitalocean.com/community/questions/how-secure-is-private-networking but that question appears to be about whether the private network is like a VPC/private VPN - but that's not my concern, I'm okay with the private network being shared and unfiltered at the IP level

1 Answer
unilynx December 12, 2017
Accepted Answer

Well, just got
http://pages.news.digitalocean.com/n/NI000ELV0016F2D0zXN0d36 in my mail. Guess this should resolve my concerns next februari.

Have another answer? Share your knowledge.