Re: [PATCH 9/9] add DHCP snooping support to nwfilter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, May 10, 2011 at 08:25:13AM -0700, David Stevens wrote:
> "Daniel P. Berrange" <berrange@xxxxxxxxxx> wrote on 05/10/2011 02:28:25 
> AM:
> 
> > From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
> > To: David Stevens/Beaverton/IBM@IBMUS
> > Cc: libvirt-list@xxxxxxxxxx
> > Date: 05/10/2011 02:32 AM
> > Subject: Re:  [PATCH 9/9] add DHCP snooping support to nwfilter
> > 
> > On Mon, May 09, 2011 at 01:12:10PM -0700, David L Stevens wrote:
> > > This patch removes remaining pieces of IP address learning.
> > 
> > Do we actually want todo this ?  This is effectively causing a
> > regression in functionality for anyone who's relying on the
> > current IP learning support, but who does not use DHCP.
> 
>         I think there is no security at all in believing a guest's notion
> of what its own IP address is. Static addresses can still be used, but
> I don't see the point of allowing a guest to choose which address it
> can use (including a spoof address) and doing any filtering at all.

It provides some limited security, against the scenario where a running
guest gets compromised at some point. ie it was honest when it initially
booted and acquired its IP. While this isn't as strong as a DHCP based
check, this may still be enough for some people. I'm just not at all
happy with the idea that we'll delete existing functionality here and
replace it with something that, while better, does not apply in all the
scenarios that the old functionality applied in. We're already shipping
this in RHEL for example, and so removing this will mean we can't update
RHEL to newer nwfilter code, or we'll have to patch it manually to re-add
the code.

>         I didn't include it in this set, but implicit in using DHCP
> snooping is having a list of trusted DHCP servers. As that is just
> an ordinary filter addition in examples with no (non-XML) code
> changes, I thought I'd get this discussion kicked off first.
>         Patches I had in mind but didn't include here:
> 
> p10 - add support for multiple MAC addresses via comma-separated lists
>         (e.g., support '54:0:0:0:0:0:1,54:1:2:3:4:5' as a MAC 
> specification)
> p11 - add support for multiple static IP addresses via comma-separated
>         lists
> p12 - add a filter in examples/xml/nwfilter for dropping DHCP server
>         traffic not in a trusted list.


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]