On Wed, 2015-01-28 at 11:46 +0200, Michael S. Tsirkin wrote:
> On Wed, Jan 28, 2015 at 09:25:08AM +0100, Hannes Frederic Sowa wrote:
[...]
> > I see fragmentation id generation still as security critical:
> > When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP
> > identifiers less predictable") I could patch my kernels and use the
> > patch regardless of the machine being virtualized or not. It was not
> > dependent on the hypervisor.
>
> And now it's even easier - just patch the hypervisor, and all VMs
> automatically benefit.
[...]You are advocating that the hypervisor should continue to act as a middle-box that quietly modifies packets. This may be useful to protect guests that have poor fragment ID generation, but then that should be an optional netfilter module and *not* the default. The default should be that UFO has no effect on the packet headers on the wire, and therefore that the fragment ID is chosen by the IPv6 stack in the guest. Ben. -- Ben Hutchings Teamwork is essential - it allows you to blame someone else.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Virtualization mailing list Virtualization@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/virtualization
