Re: [libvirt] [PATCH 9/9] add DHCP snooping support to nwfilter
"Daniel P. Berrange" <berrange(a)redhat.com> wrote on 05/10/2011 02:28:25
AM:
From: "Daniel P. Berrange" <berrange(a)redhat.com>
To: David Stevens/Beaverton/IBM@IBMUS
Cc: libvirt-list(a)redhat.com
Date: 05/10/2011 02:32 AM
Subject: Re: [libvirt] [PATCH 9/9] add DHCP snooping support to nwfilter
On Mon, May 09, 2011 at 01:12:10PM -0700, David L Stevens wrote:
> This patch removes remaining pieces of IP address learning.
Do we actually want todo this ? This is effectively causing a
regression in functionality for anyone who's relying on the
current IP learning support, but who does not use DHCP.
I think there is no security at all in believing a guest's notion
of what its own IP address is. Static addresses can still be used, but
I don't see the point of allowing a guest to choose which address it
can use (including a spoof address) and doing any filtering at all.
I didn't include it in this set, but implicit in using DHCP
snooping is having a list of trusted DHCP servers. As that is just
an ordinary filter addition in examples with no (non-XML) code
changes, I thought I'd get this discussion kicked off first.
Patches I had in mind but didn't include here:
p10 - add support for multiple MAC addresses via comma-separated lists
(e.g., support '54:0:0:0:0:0:1,54:1:2:3:4:5' as a MAC
specification)
p11 - add support for multiple static IP addresses via comma-separated
lists
p12 - add a filter in examples/xml/nwfilter for dropping DHCP server
traffic not in a trusted list.
+-DLS