[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 9/9] add DHCP snooping support to nwfilter



On Tue, May 10, 2011 at 08:25:13AM -0700, David Stevens wrote:
> "Daniel P. Berrange" <berrange redhat com> wrote on 05/10/2011 02:28:25 
> AM:
> 
> > From: "Daniel P. Berrange" <berrange redhat com>
> > To: David Stevens/Beaverton/IBM IBMUS
> > Cc: libvirt-list redhat com
> > Date: 05/10/2011 02:32 AM
> > Subject: Re: [libvirt] [PATCH 9/9] add DHCP snooping support to nwfilter
> > 
> > On Mon, May 09, 2011 at 01:12:10PM -0700, David L Stevens wrote:
> > > This patch removes remaining pieces of IP address learning.
> > 
> > Do we actually want todo this ?  This is effectively causing a
> > regression in functionality for anyone who's relying on the
> > current IP learning support, but who does not use DHCP.
> 
>         I think there is no security at all in believing a guest's notion
> of what its own IP address is. Static addresses can still be used, but
> I don't see the point of allowing a guest to choose which address it
> can use (including a spoof address) and doing any filtering at all.

It provides some limited security, against the scenario where a running
guest gets compromised at some point. ie it was honest when it initially
booted and acquired its IP. While this isn't as strong as a DHCP based
check, this may still be enough for some people. I'm just not at all
happy with the idea that we'll delete existing functionality here and
replace it with something that, while better, does not apply in all the
scenarios that the old functionality applied in. We're already shipping
this in RHEL for example, and so removing this will mean we can't update
RHEL to newer nwfilter code, or we'll have to patch it manually to re-add
the code.

>         I didn't include it in this set, but implicit in using DHCP
> snooping is having a list of trusted DHCP servers. As that is just
> an ordinary filter addition in examples with no (non-XML) code
> changes, I thought I'd get this discussion kicked off first.
>         Patches I had in mind but didn't include here:
> 
> p10 - add support for multiple MAC addresses via comma-separated lists
>         (e.g., support '54:0:0:0:0:0:1,54:1:2:3:4:5' as a MAC 
> specification)
> p11 - add support for multiple static IP addresses via comma-separated
>         lists
> p12 - add a filter in examples/xml/nwfilter for dropping DHCP server
>         traffic not in a trusted list.


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]