Back to bug 811807
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Itamar Heim | 2012-04-30 21:49:57 UTC | Whiteboard | network | |
| lpeer | 2012-05-08 09:41:51 UTC | CC | lpeer | |
| Summary | PRD31 vdsm: enable nwfilter | vdsm: enable nwfilter | ||
| Suzanne Logcher | 2012-05-10 20:28:32 UTC | CC | syeghiay | |
| Dan Kenigsberg | 2012-05-13 14:15:56 UTC | CC | danken | |
| Itamar Heim | 2012-06-07 08:19:01 UTC | Assignee | dougsland | lpeer |
| Itamar Heim | 2012-06-07 08:21:36 UTC | Blocks | 809814 | |
| Summary | vdsm: enable nwfilter | 6.3.z-3.1 - vdsm: enable nwfilter | ||
| Itamar Heim | 2012-06-07 11:39:33 UTC | Summary | 6.3.z-3.1 - vdsm: enable nwfilter | 3.1 - vdsm: enable nwfilter |
| Simon Grinberg | 2012-07-31 11:14:56 UTC | CC | sgrinber | |
| Target Milestone | rc | beta | ||
| Summary | 3.1 - vdsm: enable nwfilter | 3.1 - beta3 - vdsm: enable nwfilter | ||
| Dan Kenigsberg | 2012-08-13 07:59:37 UTC | Status | NEW | ASSIGNED |
| Assignee | lpeer | masayag | ||
| Moti Asayag | 2012-08-20 22:05:30 UTC | Status | ASSIGNED | POST |
| Chris Pelland | 2012-08-23 15:50:19 UTC | CC | cpelland | |
| Igor Lvovsky | 2012-09-03 16:13:43 UTC | Status | POST | MODIFIED |
| CC | ilvovsky | |||
| Igor Lvovsky | 2012-09-04 08:28:39 UTC | Fixed In Version | vdsm-4.9.6-32.0 | |
| errata-xmlrpc | 2012-09-04 09:39:43 UTC | Status | MODIFIED | ON_QA |
| meital avital | 2012-09-04 11:06:09 UTC | CC | mavital | |
| QA Contact | yeylon | myakove | ||
| Meni Yakove | 2012-09-24 08:03:47 UTC | Status | ON_QA | VERIFIED |
| Stephen Gordon | 2012-10-23 19:13:50 UTC | Flags | needinfo?(masayag) | |
| Moti Asayag | 2012-10-25 16:00:18 UTC | Doc Text | * Cause: Without enabling the network filters' rules on VMs running on the host or on vnic hot-plug, a spoof attack could be engaged. * Consequence: A VM could impersonate other VM causing a traffic designed to a specific VM to reach unexpected destination. * Fix: VDSM defines a custom rule (named vdsm-no-mac-spoofing) on libvirt nw-filter comprised of two out-of-the-box rules: no-mac-spoofing and no-arp-mac-spoofing so those rules could be enabled for VMs being launched on the host. VDSM exposes the option to use the vdsm-no-mac-spoofing filter when running VM or when hot-plug vnic is invoked. * Result: When VDSM is provided with the filter to be used for running VMs or activating vnics, it instructs libvirt to enforce the filters for the vnics by defining ebtables rules to control the traffic and to prevent the spoofing. | |
| Flags | needinfo?(masayag) | |||
| Zac Dover | 2012-11-06 03:14:26 UTC | CC | zdover | |
| Doc Text | * Cause: Without enabling the network filters' rules on VMs running on the host or on vnic hot-plug, a spoof attack could be engaged. * Consequence: A VM could impersonate other VM causing a traffic designed to a specific VM to reach unexpected destination. * Fix: VDSM defines a custom rule (named vdsm-no-mac-spoofing) on libvirt nw-filter comprised of two out-of-the-box rules: no-mac-spoofing and no-arp-mac-spoofing so those rules could be enabled for VMs being launched on the host. VDSM exposes the option to use the vdsm-no-mac-spoofing filter when running VM or when hot-plug vnic is invoked. * Result: When VDSM is provided with the filter to be used for running VMs or activating vnics, it instructs libvirt to enforce the filters for the vnics by defining ebtables rules to control the traffic and to prevent the spoofing. | Previously, VMs running on the host or vnic hot-plug were vulnerable to spoof attacks unless network filter rules were enabled. This meant that virtual machines were able to impersonate other virtual machines and that they could cause virtual machine traffic to be rerouted to destinations other than the ones intended by the Red Hat Entperprise Virtualization environment. VDSM now defines a custom rule called vdsm-no-mac-spoofing on libvirt nw-filter which rule is compried of two rules: no-mac-spoofing and no-arp-mac-spoofing. VDSM exposes the option to use the vdsm-no-mac-spoofing filter when running a virtual machine or when hot-plug vnic is invoked. As a result when VDSM is provided with the filter to be used when running VMs or activating vnics, it now instructs libvirt to enforce the filters for the vnics by defining ebtables rules that control traffic and prevent spoofing. | ||
| Jodi Biddle | 2012-11-09 04:50:06 UTC | CC | jbiddle | |
| Doc Text | Previously, VMs running on the host or vnic hot-plug were vulnerable to spoof attacks unless network filter rules were enabled. This meant that virtual machines were able to impersonate other virtual machines and that they could cause virtual machine traffic to be rerouted to destinations other than the ones intended by the Red Hat Entperprise Virtualization environment. VDSM now defines a custom rule called vdsm-no-mac-spoofing on libvirt nw-filter which rule is compried of two rules: no-mac-spoofing and no-arp-mac-spoofing. VDSM exposes the option to use the vdsm-no-mac-spoofing filter when running a virtual machine or when hot-plug vnic is invoked. As a result when VDSM is provided with the filter to be used when running VMs or activating vnics, it now instructs libvirt to enforce the filters for the vnics by defining ebtables rules that control traffic and prevent spoofing. | Previously, virtual machines running on the host or vnic hot-plug were vulnerable to spoof attacks unless network filter rules were enabled. This meant that virtual machines were able to impersonate other virtual machines and that they could cause virtual machine traffic to be rerouted to destinations other than the ones intended by the Red Hat Entperprise Virtualization environment. VDSM now defines a custom rule called vdsm-no-mac-spoofing on libvirt nw-filter which rule is compried of two rules: no-mac-spoofing and no-arp-mac-spoofing. VDSM exposes the option to use the vdsm-no-mac-spoofing filter when running a virtual machine or when hot-plug vnic is invoked. As a result when VDSM is provided with the filter to be used when running VMs or activating vnics, it now instructs libvirt to enforce the filters for the vnics by defining ebtables rules that control traffic and prevent spoofing. | ||
| Andrew Burden | 2012-11-27 07:14:29 UTC | CC | aburden | |
| Doc Text | Previously, virtual machines running on the host or vnic hot-plug were vulnerable to spoof attacks unless network filter rules were enabled. This meant that virtual machines were able to impersonate other virtual machines and that they could cause virtual machine traffic to be rerouted to destinations other than the ones intended by the Red Hat Entperprise Virtualization environment. VDSM now defines a custom rule called vdsm-no-mac-spoofing on libvirt nw-filter which rule is compried of two rules: no-mac-spoofing and no-arp-mac-spoofing. VDSM exposes the option to use the vdsm-no-mac-spoofing filter when running a virtual machine or when hot-plug vnic is invoked. As a result when VDSM is provided with the filter to be used when running VMs or activating vnics, it now instructs libvirt to enforce the filters for the vnics by defining ebtables rules that control traffic and prevent spoofing. | Previously, virtual machines running on the host or vnic hot-plug were vulnerable to spoof attacks unless network filter rules were enabled. This meant that virtual machines were able to impersonate other virtual machines and that they could cause virtual machine traffic to be rerouted to destinations other than those intended by the Red Hat Entperprise Virtualization environment. VDSM now defines a custom rule called vdsm-no-mac-spoofing on libvirt nw-filter which is comprised of two rules: no-mac-spoofing and no-arp-mac-spoofing. VDSM exposes the option to use the vdsm-no-mac-spoofing filter when running a virtual machine or when hot-plug vnic is invoked. As a result when VDSM is provided with the filter to be used when running virtual machines or activating vnics, it now instructs libvirt to enforce the filters for the vnics by defining ebtables rules that control traffic and prevent spoofing. | ||
| Andrew Burden | 2012-11-28 02:29:39 UTC | Doc Text | Previously, virtual machines running on the host or vnic hot-plug were vulnerable to spoof attacks unless network filter rules were enabled. This meant that virtual machines were able to impersonate other virtual machines and that they could cause virtual machine traffic to be rerouted to destinations other than those intended by the Red Hat Entperprise Virtualization environment. VDSM now defines a custom rule called vdsm-no-mac-spoofing on libvirt nw-filter which is comprised of two rules: no-mac-spoofing and no-arp-mac-spoofing. VDSM exposes the option to use the vdsm-no-mac-spoofing filter when running a virtual machine or when hot-plug vnic is invoked. As a result when VDSM is provided with the filter to be used when running virtual machines or activating vnics, it now instructs libvirt to enforce the filters for the vnics by defining ebtables rules that control traffic and prevent spoofing. | Previously, virtual machines running on the host or vNIC hot-plug were vulnerable to spoof attacks unless network filter rules were enabled. This meant that virtual machines were able to impersonate other virtual machines and that they could cause virtual machine traffic to be rerouted to destinations other than those intended by the Red Hat Entperprise Virtualization environment. VDSM now defines a custom rule called vdsm-no-mac-spoofing on libvirt nw-filter which is comprised of two rules: no-mac-spoofing and no-arp-mac-spoofing. VDSM exposes the option to use the vdsm-no-mac-spoofing filter when running a virtual machine or when hot-plug vNIC is invoked. As a result when VDSM is provided with the filter to be used when running virtual machines or activating vNICs, it now instructs libvirt to enforce the filters for the vNICs by defining ebtables rules that control traffic and prevent spoofing. |
| errata-xmlrpc | 2012-12-03 12:03:37 UTC | Status | VERIFIED | RELEASE_PENDING |
| errata-xmlrpc | 2012-12-04 18:57:20 UTC | Status | RELEASE_PENDING | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2012-12-04 13:57:20 UTC | |||
| Dan Kenigsberg | 2014-06-26 15:24:43 UTC | Comment 3 is private | 1 | 0 |
| Comment 0 is private | 1 | 0 | ||
| Group | redhat, qa, devel, suseng, beta, rhn, rhev, support, rhel_beta | |||
| Brook Harty | 2015-03-06 17:07:50 UTC | CC | harty |
Back to bug 811807