8

This question is inspired by the VPS that I rent from OVH. The OS installation was automatic, and the IP already configured. However, as I have root access, I could change the IP to another, possibly conflicting with another host the local network, which would cause them packets loss. I imagine that OVH has some form of protection against this, both to protect other VPS and to be able to sell extra IP addresses. The same question could be asked about physically hosted servers, it's not specifically about VPS.

How do the datacenter administrators ensure that each hosted server can't use another IP address than the one allocated ?

user153991
  • 341
  • 1
  • 2
  • 7
  • 2
    `I could change the IP to another, possibly conflicting with another host the local network` - Surely they use VLAN's and other mechanisms to isolate one customer from another. So changing the ip address would only impact your services and not the services of another customer. – joeqwerty Jun 15 '20 at 13:25

1 Answers1

11

Public cloud providers usually use some form of Port Security to protect against this.

This means that only traffic with the allocated IP + MAC address pair(s) will be allowed onto the network.

For virtualized servers, this security is usually applied on the physical host (i.e. the one hosting the virtualized server).

For bare-metal hosting, this security may be applied to the physical switch(es).

For reference, consider OpenStack's anti-spoofing implementation: https://www.packetflow.co.uk/openstack-neutron-port-security-explained/

Joshua Griffiths
  • 2,202
  • 15
  • 19
  • `only traffic with the allocated IP + MAC address pair(s)` plus the physical port on the switch I gues? Otherwise I could spoof woth the IP and the MAC, but you can't pretend to be connected to another port on the switch. – user153991 Jun 15 '20 at 14:11
  • That's right; 'Port Security' is applied to the physical or virtual port in-question so, for a hardware switch, this security mechanism would be applied to the physical port. – Joshua Griffiths Jun 15 '20 at 15:25