On Tue, May 10, 2011 at 08:25:13AM -0700, David Stevens wrote: > "Daniel P. Berrange" <berrange@xxxxxxxxxx> wrote on 05/10/2011 02:28:25 > AM: > > > From: "Daniel P. Berrange" <berrange@xxxxxxxxxx> > > To: David Stevens/Beaverton/IBM@IBMUS > > Cc: libvirt-list@xxxxxxxxxx > > Date: 05/10/2011 02:32 AM > > Subject: Re: [PATCH 9/9] add DHCP snooping support to nwfilter > > > > On Mon, May 09, 2011 at 01:12:10PM -0700, David L Stevens wrote: > > > This patch removes remaining pieces of IP address learning. > > > > Do we actually want todo this ? This is effectively causing a > > regression in functionality for anyone who's relying on the > > current IP learning support, but who does not use DHCP. > > I think there is no security at all in believing a guest's notion > of what its own IP address is. Static addresses can still be used, but > I don't see the point of allowing a guest to choose which address it > can use (including a spoof address) and doing any filtering at all. It provides some limited security, against the scenario where a running guest gets compromised at some point. ie it was honest when it initially booted and acquired its IP. While this isn't as strong as a DHCP based check, this may still be enough for some people. I'm just not at all happy with the idea that we'll delete existing functionality here and replace it with something that, while better, does not apply in all the scenarios that the old functionality applied in. We're already shipping this in RHEL for example, and so removing this will mean we can't update RHEL to newer nwfilter code, or we'll have to patch it manually to re-add the code. > I didn't include it in this set, but implicit in using DHCP > snooping is having a list of trusted DHCP servers. As that is just > an ordinary filter addition in examples with no (non-XML) code > changes, I thought I'd get this discussion kicked off first. > Patches I had in mind but didn't include here: > > p10 - add support for multiple MAC addresses via comma-separated lists > (e.g., support '54:0:0:0:0:0:1,54:1:2:3:4:5' as a MAC > specification) > p11 - add support for multiple static IP addresses via comma-separated > lists > p12 - add a filter in examples/xml/nwfilter for dropping DHCP server > traffic not in a trusted list. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list