Re: [libvirt] [PATCH 9/9] add DHCP snooping support to nwfilter
On Wed, May 18, 2011 at 01:34:33AM -0700, David Stevens wrote:
Daniel Veillard <veillard(a)redhat.com> wrote on 05/17/2011
08:47:11 PM:
> Like Dan I'm worried by removing this functionality. As far as I
> know most switches learn IP from their clients using ARP snooping,
> this is I think more resilient and minimize disruption in case of
> port switching.
Daniel,
Although I don't agree, I plan to add the option. I was hoping
to make DHCP snooping the default, at least.
I think making DHCP snooping the default is fine. That way we have a
more secure setup by default, and people are auto-upgraded to the more
secure setup, but are still able to revert to ARP mode if needed.
What concerns me is that the existing mechanism can be
almost
trivially subverted, so it may create a false sense of security. It
really is not spoof protection in general -- but that is the point
of the filtering. If you believe the VM when it tells you it can
use an IP address, filtering just means he has to reboot in between
hijacking multiple addresses he wants to spoof.
There should be no reason why DHCP wouldn't work on a migrated
VM as well (the expectation being that the address, and therefore subnet
and DHCP server) would continue to work in the new location.
Most migrations are on the same subnet, so the VMs existing acquired
IP address will still be valid & thus DHCP requests won't be made
after migration.
We need to arrange for the auto-detected IP address on the source
to be transfered to the destination during migration, either in
the guest XML, or in the migration cookies we added to the v3
migration protocol
Static addresses (or a set of possible IP addresses, with
the other patches I plan) can be used if you need to avoid DHCP,
of course. Then an admin could give a list of allowed addresses
and the VM could use any (or all) of that set, configured through
any mechanism.
I'm pressed for time at the moment, so it may be a few weeks
before I have the revisions to resubmit. But my plan is to incorporate
all of the comments I've seen so far in that revision.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|