lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 8 Dec 2020 10:00:40 +0100 From: Jesper Dangaard Brouer <brouer@...hat.com> To: John Fastabend <john.fastabend@...il.com> Cc: brouer@...hat.com, Daniel Borkmann <daniel@...earbox.net>, Maciej Fijalkowski <maciej.fijalkowski@...el.com>, Toke Høiland-Jørgensen <toke@...hat.com>, alardam@...il.com, magnus.karlsson@...el.com, bjorn.topel@...el.com, andrii.nakryiko@...il.com, kuba@...nel.org, ast@...nel.org, netdev@...r.kernel.org, davem@...emloft.net, hawk@...nel.org, jonathan.lemon@...il.com, bpf@...r.kernel.org, jeffrey.t.kirsher@...el.com, maciejromanfijalkowski@...il.com, intel-wired-lan@...ts.osuosl.org, Marek Majtyka <marekx.majtyka@...el.com> Subject: Re: [PATCH v2 bpf 1/5] net: ethtool: add xdp properties flag set On Mon, 07 Dec 2020 12:52:22 -0800 John Fastabend <john.fastabend@...il.com> wrote: > > Use-case(1): Cloud-provider want to give customers (running VMs) ability > > to load XDP program for DDoS protection (only), but don't want to allow > > customer to use XDP_TX (that can implement LB or cheat their VM > > isolation policy). > > Not following. What interface do they want to allow loading on? If its > the VM interface then I don't see how it matters. From outside the > VM there should be no way to discover if its done in VM or in tc or > some other stack. > > If its doing some onloading/offloading I would assume they need to > ensure the isolation, etc. is still maintained because you can't > let one VMs program work on other VMs packets safely. > > So what did I miss, above doesn't make sense to me. The Cloud-provider want to load customer provided BPF-code on the physical Host-OS NIC (that support XDP). The customer can get access to a web-interface where they can write or upload their BPF-prog. As multiple customers can upload BPF-progs, the Cloud-provider have to write a BPF-prog dispatcher that runs these multiple program. This could be done via BPF tail-calls, or via Toke's libxdp[1], or via devmap XDP-progs per egress port. The Cloud-provider don't fully trust customers BPF-prog. They already pre-filtered traffic to the given VM, so they can allow customers freedom to see traffic and do XDP_PASS and XDP_DROP. They administratively (via ethtool) want to disable the XDP_REDIRECT and XDP_TX driver feature, as it can be used for violation their VM isolation policy between customers. Is the use-case more clear now? [1] https://github.com/xdp-project/xdp-tools/tree/master/lib/libxdp -- Best regards, Jesper Dangaard Brouer MSc.CS, Principal Kernel Engineer at Red Hat LinkedIn: http://www.linkedin.com/in/brouer
Powered by blists - more mailing lists