RE: [E1000-devel] [PATCH 1/2] if_link: Add VF multicast promiscuous mode control

From: David Laight
Date: Wed Jan 21 2015 - 06:58:02 EST

Next message: Wolfgang Grandegger: "Re: [PATCH v5 2/5] can: kvaser_usb: Consolidate and unify state change handling"
Previous message: Ahmad Hassan: "[PATCH 2/2] staging: emxx_udc: remove macro ERR"
In reply to: Hiroshi Shimamoto: "RE: [E1000-devel] [PATCH 1/2] if_link: Add VF multicast promiscuous mode control"
Next in thread: Hiroshi Shimamoto: "RE: [E1000-devel] [PATCH 1/2] if_link: Add VF multicast promiscuous mode control"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Hiroshi Shimamoto
> My concern is what is the real issue that VF multicast promiscuous mode can cause.
> I think there is the 4k entries to filter multicast address, and the current ixgbe/ixgbevf
> can turn all bits on from VM. That is almost same as enabling multicast promiscuous mode.
> I mean that we can receive all multicast addresses by an onerous operation in untrusted VM.
> I think we should clarify what is real security issue in this context.

If you are worried about passing un-enabled multicasts to users then
what about doing a software hash of received multicasts and checking
against an actual list of multicasts enabled for that hash entry.
Under normal conditions there is likely to be only a single address to check.

It may (or may not) be best to use the same hash as any hashing hardware
filter uses.

David

Next message: Wolfgang Grandegger: "Re: [PATCH v5 2/5] can: kvaser_usb: Consolidate and unify state change handling"
Previous message: Ahmad Hassan: "[PATCH 2/2] staging: emxx_udc: remove macro ERR"
In reply to: Hiroshi Shimamoto: "RE: [E1000-devel] [PATCH 1/2] if_link: Add VF multicast promiscuous mode control"
Next in thread: Hiroshi Shimamoto: "RE: [E1000-devel] [PATCH 1/2] if_link: Add VF multicast promiscuous mode control"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]