Back to bug 809814
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| yeylon | 2012-04-09 08:46:34 UTC | CC | yeylon | |
| QA Contact | ykaul | knesenko | ||
| Douglas Schilling Landgraf | 2012-04-09 14:15:25 UTC | Priority | unspecified | high |
| CC | dougsland | |||
| Hardware | Unspecified | All | ||
| OS | Unspecified | Linux | ||
| Severity | unspecified | high | ||
| Itamar Heim | 2012-04-09 14:27:15 UTC | Keywords | FutureFeature | |
| Itamar Heim | 2012-04-12 00:11:59 UTC | Flags | needinfo?(acathrow) | |
| Andrew Cathrow | 2012-04-12 00:20:09 UTC | Flags | needinfo?(acathrow) | |
| Itamar Heim | 2012-04-12 09:41:09 UTC | Assignee | mkenneth | abaron |
| Ayal Baron | 2012-04-12 10:25:06 UTC | Assignee | abaron | dougsland |
| Ayal Baron | 2012-04-15 07:16:13 UTC | Blocks | 812584 | |
| Ayal Baron | 2012-04-15 09:59:13 UTC | Blocks | 812584 | |
| Itamar Heim | 2012-04-19 14:54:14 UTC | CC | Rhev-m-bugs, ykaul | |
| Component | RFEs | ovirt-engine-backend | ||
| Simon Grinberg | 2012-04-25 07:43:56 UTC | CC | sgrinber | |
| Itamar Heim | 2012-04-30 21:08:24 UTC | Whiteboard | network | |
| Douglas Schilling Landgraf | 2012-05-08 21:36:56 UTC | Assignee | dougsland | lpeer |
| Itamar Heim | 2012-06-07 08:21:36 UTC | Depends On | 811807 | |
| Andrew Cathrow | 2012-06-12 21:45:24 UTC | CC | acathrow | |
| Sadique Puthen | 2012-07-06 14:23:20 UTC | CC | sputhenp | |
| Jeremy Eder | 2012-07-06 15:55:50 UTC | CC | jeder | |
| Itamar Heim | 2012-07-08 09:21:59 UTC | Depends On | 833542 | |
| Andrew Cathrow | 2012-07-08 09:39:50 UTC | Depends On | 833542 | |
| Itamar Heim | 2012-07-08 09:45:37 UTC | See Also | https://bugzilla.redhat.com/show_bug.cgi?id=833542 | |
| Petr Matousek | 2012-07-09 14:46:00 UTC | CC | pmatouse | |
| Yaniv Kaul | 2012-07-31 09:47:20 UTC | QA Contact | knesenko | mavital |
| Alias | rhev_nwfilter | |||
| Flags | needinfo?(lpeer) | |||
| lpeer | 2012-07-31 10:13:03 UTC | Target Milestone | --- | beta4 |
| Flags | needinfo?(lpeer) | |||
| lpeer | 2012-07-31 10:40:15 UTC | Target Milestone | beta4 | beta3 |
| meital avital | 2012-07-31 11:12:44 UTC | QA Contact | mavital | gcheresh |
| Itamar Heim | 2012-07-31 11:35:26 UTC | Summary | PRD31 - Add nwfilter rules to all VMs | PRD31 - BETA3 - Add nwfilter rules to all VMs |
| Yaniv Kaul | 2012-08-09 19:00:55 UTC | Flags | needinfo?(sgrinber) | |
| Andrew Cathrow | 2012-08-10 12:48:35 UTC | Flags | needinfo?(sgrinber) | |
| Yaniv Kaul | 2012-08-12 07:02:16 UTC | Flags | needinfo?(lpeer) | |
| lpeer | 2012-08-12 08:12:02 UTC | Flags | needinfo?(lpeer) | |
| Meni Yakove | 2012-08-12 10:35:38 UTC | CC | myakove | |
| Dan Kenigsberg | 2012-08-13 07:57:25 UTC | CC | danken | |
| Dan Kenigsberg | 2012-08-13 07:58:06 UTC | Status | NEW | ASSIGNED |
| Assignee | lpeer | masayag | ||
| Meni Yakove | 2012-08-13 14:10:53 UTC | QA Contact | gcheresh | myakove |
| Yaniv Kaul | 2012-08-13 15:16:09 UTC | URL | http://wiki.ovirt.org/wiki/Features/Design/Network/NetworkFiltering | |
| Moti Asayag | 2012-08-20 18:45:40 UTC | Status | ASSIGNED | POST |
| Moti Asayag | 2012-09-04 14:32:55 UTC | Status | POST | MODIFIED |
| Igor Lvovsky | 2012-09-12 09:51:17 UTC | Status | MODIFIED | ON_QA |
| Fixed In Version | SI18 | |||
| Yaniv Kaul | 2012-09-16 08:24:45 UTC | Flags | needinfo?(masayag) | |
| meital avital | 2012-09-19 11:46:39 UTC | CC | mavital | |
| Meni Yakove | 2012-09-24 08:03:23 UTC | Status | ON_QA | VERIFIED |
| Stephen Gordon | 2012-10-24 13:57:57 UTC | Flags | needinfo?(masayag) | |
| Moti Asayag | 2012-10-25 15:32:52 UTC | Doc Text | * Cause: Without enabling the network filters' rules on VMs running on the host or on vnic hot-plug, a spoof attack could be engaged. * Consequence: A VM could impersonate other VM causing a traffic designed to a specific VM to reach unexpected destination. * Fix: VDSM defines a custom rule (named vdsm-no-mac-spoofing) on libvirt nw-filter comprised of two out-of-the-box rules: no-mac-spoofing and no-arp-mac-spoofing so those rules could be enabled for VMs being launched on the host. VDSM exposes the option to use the vdsm-no-mac-spoofing filter when running VM or when hot-plug vnic is invoked. * Result: When VDSM is provided with the filter to be used for running VMs or activating vnics, it instructs libvirt to enforce the filters for the vnics by defining ebtables rules to control the traffic and to prevent the spoofing. | |
| Flags | needinfo?(masayag) needinfo?(masayag) | |||
| Moti Asayag | 2012-10-25 16:06:29 UTC | Doc Text | * Cause: Without enabling the network filters' rules on VMs running on the host or on vnic hot-plug, a spoof attack could be engaged. * Consequence: A VM could impersonate other VM causing a traffic designed to a specific VM to reach unexpected destination. * Fix: VDSM defines a custom rule (named vdsm-no-mac-spoofing) on libvirt nw-filter comprised of two out-of-the-box rules: no-mac-spoofing and no-arp-mac-spoofing so those rules could be enabled for VMs being launched on the host. VDSM exposes the option to use the vdsm-no-mac-spoofing filter when running VM or when hot-plug vnic is invoked. * Result: When VDSM is provided with the filter to be used for running VMs or activating vnics, it instructs libvirt to enforce the filters for the vnics by defining ebtables rules to control the traffic and to prevent the spoofing. | * Cause: Without enabling the network filters' rules for VMs running on the host or on vnic hot-plug, a spoof attack could be engaged. * Consequence: A VM could impersonate other VM causing a traffic designed to a specific VM to reach unexpected destination. * Fix: RHEVM exposes a global configuration property named EnableMACAntiSpoofingFilterRules to indicate whether Network Filtering should be enabled or not. The property value will be set to 'true' by default. By setting this property to true the engine will provide to VDSM the custom VDSM rule to be propagated to libvirt. The filter will be sent to VDSM upon running a VM or when a vnic is being activated for a running VM. * Result: When VDSM is provided with the filter to be used for running VMs or activating vnics, it instructs libvirt to enforce the filters for the vnics by defining ebtables rules to control the traffic and to prevent the spoofing. |
| Tim Hildred | 2012-11-20 01:19:35 UTC | CC | thildred | |
| Doc Text | * Cause: Without enabling the network filters' rules for VMs running on the host or on vnic hot-plug, a spoof attack could be engaged. * Consequence: A VM could impersonate other VM causing a traffic designed to a specific VM to reach unexpected destination. * Fix: RHEVM exposes a global configuration property named EnableMACAntiSpoofingFilterRules to indicate whether Network Filtering should be enabled or not. The property value will be set to 'true' by default. By setting this property to true the engine will provide to VDSM the custom VDSM rule to be propagated to libvirt. The filter will be sent to VDSM upon running a VM or when a vnic is being activated for a running VM. * Result: When VDSM is provided with the filter to be used for running VMs or activating vnics, it instructs libvirt to enforce the filters for the vnics by defining ebtables rules to control the traffic and to prevent the spoofing. | Previously, Red Hat Enterprise Virtualization did not prevent MAC-spoofing. A virtual machine could impersonate other virtual, causing a traffic meant for a specific virtual machine to reach an unexpected destination. Now the Red Hat Enterprise Virtualization Manager exposes a global configuration property named EnableMACAntiSpoofingFilterRules, which is set to "True" by default. With the EnableMACAntiSpoofingFilterRules property enabled a filter that prevents spoofing gets added to a virtual machine network interface's XML definition. |
||
| Andrew Burden | 2012-11-20 03:38:08 UTC | CC | aburden | |
| Doc Text | Previously, Red Hat Enterprise Virtualization did not prevent MAC-spoofing. A virtual machine could impersonate other virtual, causing a traffic meant for a specific virtual machine to reach an unexpected destination. Now the Red Hat Enterprise Virtualization Manager exposes a global configuration property named EnableMACAntiSpoofingFilterRules, which is set to "True" by default. With the EnableMACAntiSpoofingFilterRules property enabled a filter that prevents spoofing gets added to a virtual machine network interface's XML definition. | Previously, Red Hat Enterprise Virtualization did not prevent MAC-spoofing. A virtual machine could impersonate other virtual machines, causing a traffic meant for a specific virtual machine to reach an unexpected destination. Now the Red Hat Enterprise Virtualization Manager exposes a global configuration property named EnableMACAntiSpoofingFilterRules, which is set to "True" by default. With the EnableMACAntiSpoofingFilterRules property enabled a filter that prevents spoofing gets added to a virtual machine network interface's XML definition. |
||
| errata-xmlrpc | 2012-12-04 18:13:12 UTC | Status | VERIFIED | RELEASE_PENDING |
| errata-xmlrpc | 2012-12-04 19:23:54 UTC | Status | RELEASE_PENDING | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2012-12-04 14:23:54 UTC | |||
| Ayal Baron | 2014-01-01 08:08:36 UTC | CC | abaron | |
| Itamar Heim | 2014-06-11 02:20:03 UTC | Target Release | --- | 3.1.0 |
| Dan Kenigsberg | 2014-06-26 15:26:04 UTC | Group | rhev, rhev_customer | |
| Meni Yakove | 2014-06-27 19:02:52 UTC | Keywords | Triaged | |
| John Skeoch | 2014-09-07 22:54:54 UTC | CC | rbalakri | |
| Haoxing Wang | 2015-09-22 13:09:47 UTC | Target Milestone | beta3 | --- |
| Yaniv Lavi | 2016-02-10 19:50:28 UTC | oVirt Team | --- | Network |
Back to bug 809814