Re: [libvirt] [PATCH 9/9] add DHCP snooping support to nwfilter

"Daniel P. Berrange" <berrange(a)redhat.com&gt; wrote on 05/10/2011 02:28:25 AM: > From: "Daniel P. Berrange" <berrange(a)redhat.com&gt; > To: David Stevens/Beaverton/IBM@IBMUS > Cc: libvirt-list(a)redhat.com > Date: 05/10/2011 02:32 AM > Subject: Re: [libvirt] [PATCH 9/9] add DHCP snooping support to nwfilter > > On Mon, May 09, 2011 at 01:12:10PM -0700, David L Stevens wrote: > > This patch removes remaining pieces of IP address learning. > > Do we actually want todo this ? This is effectively causing a > regression in functionality for anyone who's relying on the > current IP learning support, but who does not use DHCP. I think there is no security at all in believing a guest's notion of what its own IP address is. Static addresses can still be used, but I don't see the point of allowing a guest to choose which address it can use (including a spoof address) and doing any filtering at all.

I didn't include it in this set, but implicit in using DHCP snooping is having a list of trusted DHCP servers. As that is just an ordinary filter addition in examples with no (non-XML) code changes, I thought I'd get this discussion kicked off first. Patches I had in mind but didn't include here: p10 - add support for multiple MAC addresses via comma-separated lists (e.g., support '54:0:0:0:0:0:1,54:1:2:3:4:5' as a MAC specification) p11 - add support for multiple static IP addresses via comma-separated lists p12 - add a filter in examples/xml/nwfilter for dropping DHCP server traffic not in a trusted list.