> Subject: RE: [E1000-devel] [PATCH 1/2] if_link: Add VF multicast promiscuous > mode control > > From: Hiroshi Shimamoto > > My concern is what is the real issue that VF multicast promiscuous mode can > > cause. > > I think there is the 4k entries to filter multicast address, and the > > current ixgbe/ixgbevf > > can turn all bits on from VM. That is almost same as enabling multicast > > promiscuous mode. > > I mean that we can receive all multicast addresses by an onerous operation > > in untrusted VM. > > I think we should clarify what is real security issue in this context. > > If you are worried about passing un-enabled multicasts to users then > what about doing a software hash of received multicasts and checking > against an actual list of multicasts enabled for that hash entry. > Under normal conditions there is likely to be only a single address to check. > > It may (or may not) be best to use the same hash as any hashing hardware > filter uses.
thanks for the comment. But I don't think that is the point. I guess, introducing VF multicast promiscuous mode seems to add new privilege to peek every multicast packet in VM and that doesn't look good. On the other hand, I think that there has been the same privilege in the current ixgbe/ixgbevf implementation already. Or I'm reading the code wrongly. I'd like to clarify what is the issue of allowing to receive all multicast packets. thanks, Hiroshi ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ E1000-devel mailing list E1000-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/e1000-devel To learn more about Intel® Ethernet, visit http://communities.intel.com/community/wired
