Hello Folks! I am writing this because a recent patch proposed to DevStack [1] mentioned "when using ml2/ovs vif isolation should always be used to prevent cross tenant traffic during a live migration" which is related to secbug #1734320 "Eavesdropping private traffic" [2]. However, I've found that none of the publicly-available deployment projects seem to be using ``isolate_vif``. [3] [4] Should this be corrected? PS: I used the deployment-projects tag as a collective tag to avoid mentioning all the projects (as it is too long to write :-) ). I hope that relevant people see this if need be or someone passes the information to them. For now, I am curious whether this should actually be enforced by default with ML2/OVS. [1] https://review.opendev.org/c/openstack/devstack/+/796826 [2] https://bugs.launchpad.net/neutron/+bug/1734320 [3] https://codesearch.opendev.org/?q=%5Cbisolate_vif%5Cb&i=nope&files=&excludeFiles=&repos= [4] https://github.com/search?p=1&q=isolate_vif&type=Code -yoctozepto
Hello, Seems like there was no feedback here or did you figure anything out? I’m also very interested in the recommend approach to this. Best regards
On 18 Jun 2021, at 18:12, Radosław Piliszek <radoslaw.piliszek@gmail.com> wrote:
Hello Folks!
I am writing this because a recent patch proposed to DevStack [1] mentioned "when using ml2/ovs vif isolation should always be used to prevent cross tenant traffic during a live migration" which is related to secbug #1734320 "Eavesdropping private traffic" [2]. However, I've found that none of the publicly-available deployment projects seem to be using ``isolate_vif``. [3] [4] Should this be corrected?
PS: I used the deployment-projects tag as a collective tag to avoid mentioning all the projects (as it is too long to write :-) ). I hope that relevant people see this if need be or someone passes the information to them. For now, I am curious whether this should actually be enforced by default with ML2/OVS.
[1] https://review.opendev.org/c/openstack/devstack/+/796826 [2] https://bugs.launchpad.net/neutron/+bug/1734320 [3] https://codesearch.opendev.org/?q=%5Cbisolate_vif%5Cb&i=nope&files=&excludeFiles=&repos= [4] https://github.com/search?p=1&q=isolate_vif&type=Code
-yoctozepto
Hi, On Fri, Jun 18, 2021 at 06:12:35PM +0200, Radosław Piliszek wrote:
Hello Folks!
I am writing this because a recent patch proposed to DevStack [1] mentioned "when using ml2/ovs vif isolation should always be used to prevent cross tenant traffic during a live migration" which is related to secbug #1734320 "Eavesdropping private traffic" [2]. However, I've found that none of the publicly-available deployment projects seem to be using ``isolate_vif``. [3] [4] Should this be corrected?
PS: I used the deployment-projects tag as a collective tag to avoid mentioning all the projects (as it is too long to write :-) ). I hope that relevant people see this if need be or someone passes the information to them. For now, I am curious whether this should actually be enforced by default with ML2/OVS.
I think that Sean explained in the commit message of https://review.opendev.org/c/openstack/os-vif/+/612534/ why it defaults to False. And as it is os-vif's setting we can't do it "conditional" as os-vif don't knows about Neutron backend which is used really. So IMO deployment tools should maybe default this setting to True when ML2/OVS is used really.
[1] https://review.opendev.org/c/openstack/devstack/+/796826 [2] https://bugs.launchpad.net/neutron/+bug/1734320 [3] https://codesearch.opendev.org/?q=%5Cbisolate_vif%5Cb&i=nope&files=&excludeFiles=&repos= [4] https://github.com/search?p=1&q=isolate_vif&type=Code
-yoctozepto
-- Slawek Kaplonski Principal Software Engineer Red Hat
participants (3)
-
Radosław Piliszek
-
Slawek Kaplonski
-
Tobias Urdin