On Tue, 2010-09-28 at 15:23 -0700, Bhanu Gollapudi wrote: > On Wed, 2010-09-22 at 15:58 -0700, Robert Love wrote: > > > > > This means that we need to compare the FC Frame's > > destination FCID against the embedded FCID in the > > destination MAC address. This patch checks the lower > > 24 bits of the destination MAC address against > > destination FCID in the Fibre Channel frame. > > > > For MAC validation the first line of defense is the > > hardware MAC filtering. Each VN_Port will have a > > unicast MAC addresses added to the hardware's > > filtering table. The Ethernet driver should drop any > > MACs not destined for a programmed MAC. > > If the NIC is in promiscous mode for some reason, the driver may not > drop these packets, right? > Yes, that is true. I would argue that if the NIC is in promiscuous mode then your system is compromised and checking the MAC is the least of your problems.
> > This patch > > adds a second line of defense that very specfically > > compares an element in the FC frame against an element > > in the Ethernet header, which is appropriate for the > > FCoE layer. > > In which case, this check may not be sufficient. Am I missing something? > I don't think you're missing anything. ;) I think our options are either to do this check, do nothing or walk the NPIV list. Walking the NPIV list is going to hurt performance with NPIV on and I'm not sure this second level of validation is worth it. Doing nothing doesn't make us spec compliant. This check at least makes us spec compliant, doesn't hurt performance and does add some value. //Rob _______________________________________________ devel mailing list [email protected] http://www.open-fcoe.org/mailman/listinfo/devel
