lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <C5551D9AAB213A418B7FD5E4A6F30A078926426F@ORSMSX108.amr.corp.intel.com>
Date:	Mon, 23 Feb 2015 17:31:25 +0000
From:	"Rose, Gregory V" <gregory.v.rose@...el.com>
To:	Or Gerlitz <gerlitz.or@...il.com>,
	"Kirsher, Jeffrey T" <jeffrey.t.kirsher@...el.com>
CC:	David Miller <davem@...emloft.net>,
	Linux Netdev List <netdev@...r.kernel.org>,
	"nhorman@...hat.com" <nhorman@...hat.com>,
	"sassmann@...hat.com" <sassmann@...hat.com>,
	"jogreene@...hat.com" <jogreene@...hat.com>
Subject: RE: [net-next 13/16] i40e: Fix i40e_ndo_set_vf_spoofchk



> -----Original Message-----
> From: Or Gerlitz [mailto:gerlitz.or@...il.com]
> Sent: Monday, February 23, 2015 9:18 AM
> To: Kirsher, Jeffrey T
> Cc: David Miller; Rose, Gregory V; Linux Netdev List; nhorman@...hat.com;
> sassmann@...hat.com; jogreene@...hat.com
> Subject: Re: [net-next 13/16] i40e: Fix i40e_ndo_set_vf_spoofchk
> 
> On Mon, Feb 23, 2015 at 5:25 AM, Jeff Kirsher
> <jeffrey.t.kirsher@...el.com> wrote:
> > From: Greg Rose <gregory.v.rose@...el.com>
> >
> > The netdev op that allows the operator to turn MAC/VLAN spoof checking
> > on and off did not include the flag for VLAN spoof checking.  This
> > patch fixes that problem.
> 
> If we're on VST mode, the VF isn't aware their traffic is tagged with
> vlan-id Y and if they try to send with vlan-id X I assume you are forcing
> it to be Y, right?

No, it is dropped and a malicious driver event is registered to the PF driver.

> 
> If we're on VGT mode, what spoof check you can do? we don't have a model
> for allowed vlans, did I miss something?

This only applies in instances where the administrator has not set a VLAN id for the VF via the 'ip' utility.  In that case, our rule is to allow the VF driver to set its own VLAN filters if it so wishes.  This is a long standing rule for Intel VF drivers.

So, with VLAN spoof checking turned on the VF will only be able to send VLAN tagged traffic where the VLAN filter is set in the HW.  This allows the PF driver to continue to monitor and restrict what VLAN tagged traffic is allowed by the VF if it so desires.  The Linux driver does not actually do this but it would be easy to use some common reporting tools to see what VLAN filters are in use by the VF and then take actions desired by the system administrator.  Keeping a rule in place that the VF can only send on VLANs that are registered in the HW filters controlled by the PF increase security.

Thanks,

- Greg

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ