[libvirt] [PATCH 9/9] add DHCP snooping support to nwfilter

Daniel P. Berrange berrange at redhat.com
Thu May 12 08:01:05 UTC 2011


On Tue, May 10, 2011 at 08:25:13AM -0700, David Stevens wrote:
> "Daniel P. Berrange" <berrange at redhat.com> wrote on 05/10/2011 02:28:25 
> AM:
> 
> > From: "Daniel P. Berrange" <berrange at redhat.com>
> > To: David Stevens/Beaverton/IBM at IBMUS
> > Cc: libvirt-list at redhat.com
> > Date: 05/10/2011 02:32 AM
> > Subject: Re: [libvirt] [PATCH 9/9] add DHCP snooping support to nwfilter
> > 
> > On Mon, May 09, 2011 at 01:12:10PM -0700, David L Stevens wrote:
> > > This patch removes remaining pieces of IP address learning.
> > 
> > Do we actually want todo this ?  This is effectively causing a
> > regression in functionality for anyone who's relying on the
> > current IP learning support, but who does not use DHCP.
> 
>         I think there is no security at all in believing a guest's notion
> of what its own IP address is. Static addresses can still be used, but
> I don't see the point of allowing a guest to choose which address it
> can use (including a spoof address) and doing any filtering at all.

It provides some limited security, against the scenario where a running
guest gets compromised at some point. ie it was honest when it initially
booted and acquired its IP. While this isn't as strong as a DHCP based
check, this may still be enough for some people. I'm just not at all
happy with the idea that we'll delete existing functionality here and
replace it with something that, while better, does not apply in all the
scenarios that the old functionality applied in. We're already shipping
this in RHEL for example, and so removing this will mean we can't update
RHEL to newer nwfilter code, or we'll have to patch it manually to re-add
the code.

>         I didn't include it in this set, but implicit in using DHCP
> snooping is having a list of trusted DHCP servers. As that is just
> an ordinary filter addition in examples with no (non-XML) code
> changes, I thought I'd get this discussion kicked off first.
>         Patches I had in mind but didn't include here:
> 
> p10 - add support for multiple MAC addresses via comma-separated lists
>         (e.g., support '54:0:0:0:0:0:1,54:1:2:3:4:5' as a MAC 
> specification)
> p11 - add support for multiple static IP addresses via comma-separated
>         lists
> p12 - add a filter in examples/xml/nwfilter for dropping DHCP server
>         traffic not in a trusted list.


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list