lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 24 Jun 2013 09:48:04 -0700
From:	Greg Rose <gregory.v.rose@...el.com>
To:	Stephen Hemminger <stephen@...workplumber.org>
CC:	Pawit Pornkitprasan <p.pawit@...il.com>, <netdev@...r.kernel.org>,
	"Ryousei Takano" <takano-ryousei@...t.go.jp>,
	Amir Vadai <amirv@...lanox.com>
Subject: Re: PROBLEM: Bridging does not work with Mellanox ConnectX-2
 (mlx4_en) card in SR-IOV mode

On Mon, 24 Jun 2013 08:42:59 -0700
Stephen Hemminger <stephen@...workplumber.org> wrote:

> On Mon, 24 Jun 2013 16:55:00 +0900
> Pawit Pornkitprasan <p.pawit@...il.com> wrote:
> 
> > [1.] One line summary of the problem:
> > Bridging does not work with Mellanox ConnectX-2 (mlx4_en) card in
> > SR-IOV mode
> 
> For security reasons, SR-IOV cards to not support promiscuous mode
> required for bridging. Also the hardware usually can't do fanout to
> multiple VF's for same unicast packet. --

Stephen, technically you're correct but there is a bit of further
clarification required here.  In the case of Intel adapters that
support SR-IOV we do allow MAC promiscuous mode when the physical
function device is bridged.  This, along with the bridge FDB features
allow for VMs using the SW bridge with virtual interfaces to
communicate with VMs using SR-IOV virtual functions.  However, we leave
the VLAN filtering enabled in the device so that VMs can be isolated
from one another.  So it's not actually promiscuous mode since VLAN
filtering remains enabled, but it does enable promiscuous capture of
MAC addresses.

This feature is something just recently added to Intel adapters to get
around the security problem you mention.

- Greg

> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ