From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by dpdk.org (Postfix) with ESMTP id 502531B53 for ; Tue, 28 Nov 2017 17:06:54 +0100 (CET) Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Nov 2017 08:06:53 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.44,468,1505804400"; d="scan'208";a="10598850" Received: from tanjianf-mobl.ccr.corp.intel.com (HELO [10.255.24.209]) ([10.255.24.209]) by orsmga001.jf.intel.com with ESMTP; 28 Nov 2017 08:06:51 -0800 To: Aaron Conole References: <20171127142515.GA450@yliu-dev> <411329b7-5164-c24e-2e5e-8cf25079c4b9@intel.com> Cc: Yuanhan Liu , Chen Hailin , "ovs-dev@openvswitch.org" , Maxime Coquelin , cloud , qemu-devel , dev From: "Tan, Jianfeng" Message-ID: Date: Wed, 29 Nov 2017 00:06:50 +0800 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [dpdk-dev] [ovs-dev] [PATCH RFC] netdev-dpdk: Fix device obtain mac address when received first packet in vhost type X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Nov 2017 16:06:55 -0000 On 11/28/2017 1:01 AM, Aaron Conole wrote: > "Tan, Jianfeng" writes: > >> On 11/27/2017 10:27 PM, Yuanhan Liu wrote: >>> On Fri, Nov 24, 2017 at 05:59:09PM +0800, Chen Hailin wrote: >>>> Hi Aaron Conole && Jianfeng, >>>> >>>> The stp could not work in ovs-dpdk vhostuser. >>>> Because the attached vhost device doesn't have MAC address. >>>> >>>> Now we have two ways to solve this problem. >>>> 1. The vhost learns MAC address from packet like as my first patch. >>> I do agree with Aaron this is not the right way. >> I do think it should be the vswitch's responsibility to learn mac of >> vhost port. >> >> Except that it's the only feasible way without modifying the spec >> (yuanhan already makes it very clear below), we can treat the vswitch >> as a phsical switch, VM as a physical server, virtio/vhost port as a >> back-to-back connected NICs, the only way of the physical switch to >> know the mac of the NIC on the other side is ARP learning. >> >> Might I ask why you don't think it's a right way? > As a quick example, I think a malicious guest in a multi-tenant > environment could send traffic out to manipulate this feature into > learning an incorrect mac address. Instead, I think it's not right to stop such mac spoofing behavior (suppose someone wants to have such an experiment in an overlay networking). And it actually only affects one “LAN", instead of all "LANs". And it's usually not the switch's responsibility to detect mac spoofing behavior IMHO. > To get this right requires doing deep packet inspection, and making sure > to only learn based on certain l2 traffic. > Yes, should learn based on ARP packets. Your concern is the performance? I suppose there is not to many such packets. Thanks, Jianfeng