Since nobody has disputed Sean's assertions in the nearly half a year since his comment #8 above, I'm going to assume the VMT no longer needs to track this and is unlikely to issue any security advisory about it, so am marking our advisory task Won't Fix.
** Changed in: ossa Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1797575 Title: Security vulnerability with SR-IOV ports Status in neutron: New Status in OpenStack Security Advisory: Won't Fix Bug description: As explain in http://www.mulix.org/pubs/misc/sriovsec-tr.pdf an attacker that has been assigned a VF of a NIC for its VM can block the network access for all the VMs using a VF of the same card by sending control flow PAUSE commands at the right interval. The attack is described as hard to detect, easy to implement and absolutely efficient (throughput drops to 0). A VF of a SR-IOV virtualized NIC can be assigned via pci aliases or with neutron ports. I suppose with a VF assigned via a nova pci-passthrough these PAUSE commands would block the network. Would it be the case as well using the neutron port method ? I don't have enough knowledge on neutron's functioning to see if these threats are serious or not, and I do not have the set up to test this myself. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1797575/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp