Hi, On Fri, Jun 18, 2021 at 06:12:35PM +0200, Radosław Piliszek wrote:
Hello Folks!
I am writing this because a recent patch proposed to DevStack [1] mentioned "when using ml2/ovs vif isolation should always be used to prevent cross tenant traffic during a live migration" which is related to secbug #1734320 "Eavesdropping private traffic" [2]. However, I've found that none of the publicly-available deployment projects seem to be using ``isolate_vif``. [3] [4] Should this be corrected?
PS: I used the deployment-projects tag as a collective tag to avoid mentioning all the projects (as it is too long to write :-) ). I hope that relevant people see this if need be or someone passes the information to them. For now, I am curious whether this should actually be enforced by default with ML2/OVS.
I think that Sean explained in the commit message of https://review.opendev.org/c/openstack/os-vif/+/612534/ why it defaults to False. And as it is os-vif's setting we can't do it "conditional" as os-vif don't knows about Neutron backend which is used really. So IMO deployment tools should maybe default this setting to True when ML2/OVS is used really.
[1] https://review.opendev.org/c/openstack/devstack/+/796826 [2] https://bugs.launchpad.net/neutron/+bug/1734320 [3] https://codesearch.opendev.org/?q=%5Cbisolate_vif%5Cb&i=nope&files=&excludeFiles=&repos= [4] https://github.com/search?p=1&q=isolate_vif&type=Code
-yoctozepto
-- Slawek Kaplonski Principal Software Engineer Red Hat