About IP spoofing checks

IBM Cloud® Virtual Private Cloud includes an IP spoofing check on each network interface of a virtual service instance to ensure that traffic that's coming from that network interface includes appropriate addressing.

Disabling IP spoofing checks allows traffic to pass through the network interface, instead of terminating at the network interface. If you are using the instance as a "next hop", the instance's network interfaces must allow IP spoofing. For example, if you are using a custom load balancer instance, you must set allow_ip_spoofing for traffic to reach the instance.

Traffic can be dropped at two points in the check:

Incoming traffic is checked to make sure it is addressed to the selected network interface. Traffic is dropped if its destination address does not match the selected network interface address.
Outgoing traffic is checked to verify that the content comes from the selected network interface address. Traffic from the selected network interface is dropped if its source address does not match the selected network interface address.

Figure showing unsuccessful traffic flow to and from a virtual server instance — Unsuccessful IP spoofing check

Figure showing successful traffic flow to and from a virtual server instance — Successful IP spoofing check

Only operators with IP Spoofing Operator Identity and Access Management (IAM) privileges can enable or disable the IP spoofing check on the interfaces within a VPC. Ingress and egress IP Spoofing checks are enabled by default.

Enabling IP spoofing checks

After a virtual server instance is created, a network administrator with the IP Spoofing Operator role in IAM can update the network interface to enable or disable the IP spoofing check.

The IAM IP Spoofing Operator is disabled by default for all users.

For more information about IAM permissions, see Managing IAM access for VPC Infrastructure Services.

To enable IP spoofing in the console, take the following steps:

Go to Manage > Access (IAM) in the horizontal navigation bar of your instance.
Select Users in the Manage identities section and choose the user that you want to grant the IP spoofing role.
In the Access policies tab, click Assign access.
Select the Access policy tile.
Select "VPC Infrastructure Services" in the Service section.
Select "All" in the Resources section.
Check "IP Spoofing Operator" in the Roles and actions section.
Click Add.

To enable IP spoofing from the CLI, run the following command:

ibmcloud iam user-policy-create YOUR_USER_EMAIL_ADDRESS --roles "IP Spoofing Operator" --service-name is

Understanding the risks

When you allow IP spoofing on your network interface, consider the potential security risks that are involved. Anyone with the IP Spoofing Operator role not only has permission to enable virtual network appliances, but they can configure an instance to send traffic on behalf of another instance, too. This configuration increases the chance of situations where the platform might be attacked due to the action of an uneducated or malicious user.

Be cautious when you assign the IP Spoofing Operator role to users.

Alerting for IP spoofing events

When IP spoofing is modified on a network interface, an activity tracking log is generated.

Auditing events that are generated by VPC resources are automatically forwarded to the IBM Cloud Activity Tracker service instance that is available in the same location. The service can route the events to a target storage location that you define. The target can be an IBM Cloud Object Storage (COS) target, an IBM Cloud Logs target, or an IBM® Event Streams for IBM Cloud® target. For more information, see Getting started with IBM Cloud Activity Tracker Event Routing.

You can use IBM Cloud Logs to [visualize] and [alert] on events that are generated in your account and routed by IBM Cloud Activity Tracker Event Routing to an IBM Cloud Logs instance. For information on accessing the IBM Cloud Logs UI, see Navigating to the UI in the IBM Cloud Logs documentation.