"Daniel P. Berrange" <berrange@xxxxxxxxxx> wrote on 05/10/2011 02:28:25
AM:
> From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
> To: David Stevens/Beaverton/IBM@IBMUS
> Cc: libvirt-list@xxxxxxxxxx
> Date: 05/10/2011 02:32 AM
> Subject: Re: [PATCH 9/9] add DHCP snooping support to nwfilter
>
> On Mon, May 09, 2011 at 01:12:10PM -0700, David L Stevens wrote:
> > This patch removes remaining pieces of IP address learning.
>
> Do we actually want todo this ? This is effectively causing a
> regression in functionality for anyone who's relying on the
> current IP learning support, but who does not use DHCP.
I think there is no security at all in believing a guest's notion
of what its own IP address is. Static addresses can still be used, but
I don't see the point of allowing a guest to choose which address it
can use (including a spoof address) and doing any filtering at all.
I didn't include it in this set, but implicit in using DHCP
snooping is having a list of trusted DHCP servers. As that is just
an ordinary filter addition in examples with no (non-XML) code
changes, I thought I'd get this discussion kicked off first.
Patches I had in mind but didn't include here:
p10 - add support for multiple MAC addresses via comma-separated lists
(e.g., support '54:0:0:0:0:0:1,54:1:2:3:4:5' as a MAC
specification)
p11 - add support for multiple static IP addresses via comma-separated
lists
p12 - add a filter in examples/xml/nwfilter for dropping DHCP server
traffic not in a trusted list.
+-DLS
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list