David Stevens/Beaverton/IBM@IBMUS wrote on 05/09/2011 04:00:05 PM:

>
>    The following series of patches replaces IP address learning in
> network filtering with DHCP snooping. The existing address learning
> capability
> does not provide security since it relies on addresses used in initial packets
> sent by the guest to determine an IP address. A spoofing guest can simply
> arrange to send packets using the target address early on.

The current IP address learning algo. takes either the address given by the DHCP
server or the address a VM seems to be using, which can either be from an ARP reply
or the first packet a VM is sending out. It then locks the VM's interface into
that address. This works for static configuration or DHCP and if DHCP is used it
also works when libvirt is restarted while a VM is running -- then it will simply
pick the address from the ARP reply or first packet treating the VM as if it was
using static configuration.

Looking at patch 8 I would assume you need to store the IP leases you track into
a file so you can handle the cases of libvirt restart while a VM is running. How
does the DHCP snooping currently deal with libvirt restarts or a SIGHUP to libvirt.
Both I believe are currently rebuilding all filters when libvirt restarts and on
those interfaces where it is necessary the learning will again start up.

>    With DHCP snooping, only addresses acknowledged by a DHCP server can
> be used by the guest, and only for the given lease time if the address lease
> is not renewed.

How do you treat VMs with statically configured interfaces? Are they permanently blocked
from sending?

>    The patches also add support for multiple IP addresses per interface.

This would be great!

   Stefan

>
> The split:
>
> p1 -add return & continue support
>    Add support for "return" and "continue" in filters.
> p2 -fix ARP input checks
>    Fix a bug that breaks correct use of ARP by overfiltering.
> p3 -add MAC check; split ARP intp ARPMAC and ARPIP
>    Support for multiple IP addresses in ARP checks, and allow for
>    multiple MAC addresses in the future.
> p4 -set default protocol policy to "DROP"; edit filters
>    Change default protocol policy to "DROP", rather than adding explicit
>    "DROP" rules at the end of all of them. This is for multiple address
>    support.
> p5 -optional "modify" (don't use temp, generate placeholder rules)
>    Add support to dynamically add and remove filters without re-installing
>    an entire chain.
> p6 -addRules
>    Add support for adding new rules to a chain incrementally. Remove
>    support was already there.
> p7 -ChangeVar support
>    Add support to change chains that have a matching variable substitution
>    to either add or delete rules with the given variable value (e.g., "IP")
> p8 -add DHCP snooping
>    The DHCP snooping code itself.
> p9 -delete learnipaddr
>    Clean up remaining learnipaddr infrastructure.
>
>