lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1402488782.2306.18.camel@jtkirshe-mobl>
Date:	Wed, 11 Jun 2014 05:13:02 -0700
From:	Jeff Kirsher <jeffrey.t.kirsher@...el.com>
To:	Or Gerlitz <or.gerlitz@...il.com>
Cc:	David Miller <davem@...emloft.net>,
	Mitch Williams <mitch.a.williams@...el.com>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	"gospo@...hat.com" <gospo@...hat.com>,
	"sassmann@...hat.com" <sassmann@...hat.com>,
	Jesse Brandeburg <jesse.brandeburg@...el.com>
Subject: Re: [net-next 06/13] i40e: implement anti-spoofing for VFs

On Mon, 2014-06-09 at 22:49 +0300, Or Gerlitz wrote:
> On Mon, Jun 9, 2014 at 11:49 AM, Jeff Kirsher
> <jeffrey.t.kirsher@...el.com> wrote:
> > From: Mitch Williams <mitch.a.williams@...el.com>
> >
> > Our hardware supports VF antispoofing for both MAC addresses and VLANs.
> > Enable this feature by default for all VFs
> 
> What do you expect the HW to do when spoof check is enabled (by
> default) but the admin didn't configure a MAC address for the VF
> through the PF? that is the VF is allowed to use what ever MAC they
> want to?
> 
> > and implement the netdev op to control it from the command line.

Here is the answer I got:
If the VF mac address is set within the VM and it is accepted by the PF,
than any packets with that mac address would be allowed out of the
interface.

If the VF attempts to send a packet with a mac address that has not been
sent to and accepted/configured by the PF than this would get blocked by
the anti-spoof detection.

The VF mac address must be configured by the PF in either case (set in
the host or set in the VM).

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ