lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 11 Nov 2014 18:46:20 -0800
From:	Mahesh Bandewar <maheshb@...gle.com>
To:	Cong Wang <cwang@...pensource.com>
Cc:	Hannes Frederic Sowa <hannes@...hat.com>,
	netdev <netdev@...r.kernel.org>,
	Eric Dumazet <edumazet@...gle.com>,
	Maciej Zenczykowski <maze@...gle.com>,
	Laurent Chavey <chavey@...gle.com>,
	Tim Hockin <thockin@...gle.com>,
	David Miller <davem@...emloft.net>,
	Brandon Philips <brandon.philips@...eos.com>,
	Pavel Emelianov <xemul@...allels.com>
Subject: Re: [PATCH net-next 1/1] ipvlan: Initial check-in of the IPVLAN driver.

On Tue, Nov 11, 2014 at 4:39 PM, Cong Wang <cwang@...pensource.com> wrote:
> On Tue, Nov 11, 2014 at 3:22 PM, Hannes Frederic Sowa <hannes@...hat.com> wrote:
>> On Di, 2014-11-11 at 15:12 -0800, Cong Wang wrote:
>>> On Tue, Nov 11, 2014 at 2:29 PM, Mahesh Bandewar <maheshb@...gle.com> wrote:
>>> > This driver is very similar to the macvlan driver except that it
>>> > uses L3 on the frame to determine the logical interface while
>>> > functioning as packet dispatcher. It inherits L2 of the master
>>> > device hence the packets on wire will have the same L2 for all
>>> > the packets originating from all virtual devices off of the same
>>> > master device.
>>>
>>> Why do we need this from the beginning?
>>> IOW, what problem does this solve while macvlan doesn't?
>>
>> I think it is good to reduce the number of mac addresses before a NIC
>> switches into promisc mode.
>>
>
> Sounds like over-kill to have a new device just for not worrying about mac.
> Or you mean our neigh table doesn't scale?

I do not think this is a neigh-table scaling issue and certainly wont
feel it's a over kill. It's addressing the need that macvlan does not
address. Having said that, this certainly does not mean that this is
the replacement of macvlan driver.

(Linux) Hosts could be connected to devices with stricter security
policies allowing only a mac per port it's connected to barring the
use of devices like macvlan. This would mean that you need something
like ipvlan type of device to address that need. Also as Hannes has
mentioned, burning more macs per port and putting the NIC in promisc
mode is taxing for performance. That could be avoided by using ipvlan.

At LPC there was another talk / discussion about using pure L2 device
in docker container was a security concern
(http://www.linuxplumbersconf.net/2014/ocw//system/presentations/1959/original/lxc-security-issues.pdf)

However, point taken, I will summarize all this macvlan to ipvlan
comparison and add into the document that is part of this patch.

Thanks,
--mahesh..
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ