Since nobody has disputed Sean's assertions in the nearly half a year
since his comment #8 above, I'm going to assume the VMT no longer needs
to track this and is unlikely to issue any security advisory about it,
so am marking our advisory task Won't Fix.
** Changed in: ossa
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1797575
Title:
Security vulnerability with SR-IOV ports
Status in neutron:
New
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
As explain in http://www.mulix.org/pubs/misc/sriovsec-tr.pdf an
attacker that has been assigned a VF of a NIC for its VM can block the
network access for all the VMs using a VF of the same card by sending
control flow PAUSE commands at the right interval.
The attack is described as hard to detect, easy to implement and
absolutely efficient (throughput drops to 0).
A VF of a SR-IOV virtualized NIC can be assigned via pci aliases or
with neutron ports.
I suppose with a VF assigned via a nova pci-passthrough these PAUSE
commands would block the network. Would it be the case as well using
the neutron port method ?
I don't have enough knowledge on neutron's functioning to see if these
threats are serious or not, and I do not have the set up to test this
myself.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1797575/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
