Hi, On Fri, Jun 18, 2021 at 06:12:35PM +0200, Radosław Piliszek wrote: > Hello Folks! > > I am writing this because a recent patch proposed to DevStack [1] > mentioned "when using ml2/ovs vif isolation should always be used to > prevent cross tenant traffic during a live migration" which is related > to secbug #1734320 "Eavesdropping private traffic" [2]. > However, I've found that none of the publicly-available deployment > projects seem to be using ``isolate_vif``. [3] [4] > Should this be corrected? > > PS: I used the deployment-projects tag as a collective tag to avoid > mentioning all the projects (as it is too long to write :-) ). I hope > that relevant people see this if need be or someone passes the > information to them. For now, I am curious whether this should > actually be enforced by default with ML2/OVS. I think that Sean explained in the commit message of https://review.opendev.org/c/openstack/os-vif/+/612534/ why it defaults to False. And as it is os-vif's setting we can't do it "conditional" as os-vif don't knows about Neutron backend which is used really. So IMO deployment tools should maybe default this setting to True when ML2/OVS is used really. > > [1] https://review.opendev.org/c/openstack/devstack/+/796826 > [2] https://bugs.launchpad.net/neutron/+bug/1734320 > [3] https://codesearch.opendev.org/?q=%5Cbisolate_vif%5Cb&i=nope&files=&excludeFiles=&repos= > [4] https://github.com/search?p=1&q=isolate_vif&type=Code > > -yoctozepto > -- Slawek Kaplonski Principal Software Engineer Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210804/56753a5b/attachment.sig>