[libvirt] [PATCH 9/9] add DHCP snooping support to nwfilter

Daniel P. Berrange berrange at redhat.com
Wed May 18 08:46:21 UTC 2011 

On Wed, May 18, 2011 at 01:34:33AM -0700, David Stevens wrote:
> Daniel Veillard <veillard at redhat.com> wrote on 05/17/2011 08:47:11 PM:
>  
> >   Like Dan I'm worried by removing this functionality. As far as I
> > know most switches learn IP from their clients using ARP snooping,
> > this is I think more resilient and minimize disruption in case of
> > port switching.
> 
> Daniel,
>         Although I don't agree, I plan to add the option. I was hoping
> to make DHCP snooping the default, at least.

I think making DHCP snooping the default is fine. That way we have a
more secure setup by default, and people are auto-upgraded to the more
secure setup, but are still able to revert to ARP mode if needed.

>         What concerns me is that the existing mechanism can be almost
> trivially subverted, so it may create a false sense of security. It
> really is not spoof protection in general -- but that is the point
> of the filtering. If you believe the VM when it tells you it can
> use an IP address, filtering just means he has to reboot in between
> hijacking multiple addresses he wants to spoof.
>         There should be no reason why DHCP wouldn't work on a migrated
> VM as well (the expectation being that the address, and therefore subnet
> and DHCP server) would continue to work in the new location.

Most migrations are on the same subnet, so the VMs existing acquired
IP address will still be valid & thus DHCP requests won't be made
after migration.

We need to arrange for the auto-detected IP address on the source
to be transfered to the destination during migration, either in
the guest XML, or in the migration cookies we added to the v3
migration protocol

>         Static addresses (or a set of possible IP addresses, with
> the other patches I plan) can be used if you need to avoid DHCP,
> of course. Then an admin could give a list of allowed addresses
> and the VM could use any (or all) of that set, configured through
> any mechanism.
>         I'm pressed for time at the moment, so it may be a few weeks
> before I have the revisions to resubmit. But my plan is to incorporate
> all of the comments I've seen so far in that revision.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list