[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [virtio-comment] virtio-net ip restriction.
On Tue, Aug 8, 2023 at 4:09âPM Xuan Zhuo <xuanzhuo@linux.alibaba.com> wrote: > > ## Background > > For cloud, the ip restriction is important. Because the user of the vm is > untrustworthy. One user may use the ip of another to config the netdevice to > receive and send packets. So we need to restrict the ip traffic of the device(or port). > > ## Implement > Now we have these choice: > > 1. introduce the switch(as the part of pf or as a separate device under all PF > and VFs ), the switch support rx/tx filter > 2. the virtio-net device support the ip restriction I think they are not contradictory, we can have both. I'd suggest starting from 2 as it's simple without new dependencies. One question though, besides ip restriction, how did you implement the trust and spoof checking? Thanks > > > Parav wrote: > > I understood that you for some reason do not need restrictions for the PF. > > I do not know why you don't need it. :) > > Most cloud setups that I came across so far, needs it, but ok... > > PF is used by the administrator, so the ip restriction for the PF is > not important. But we can have this feature. > > > The design for the switch object needs to cover the PF as well, even though it may not be done initially. > > (hint: an abstraction of switch port to be done, instead of doing things directly on the group member id). > > > > We are seeing use cases reducing of having switch located on the PF for its VFs. > > So for you, we should introduce a switching PF? > > > So please reconsider. > > I remember you mentioned in past in other thread, that mac etc is controlled from the infrastructure side. > > YES. > > > So, I repeatedly ask if you _really_ need to have the switch object as part of the owner PF or not. > > For me, that are all ok. > Could you explain the difference between these? > So I would to know which one is better and which one is simper? > > > Which sort of contradicts with locating the administrative switch on the owner PF. > > Why? > > For us, all is on the DPU. > > > > > If it does, flow filters vq that is being worked with Heng, Satananda, David > > and others seems right direction to implement simple->complex switch object > > progressively. > > Great!! > > > Thanks. > > This publicly archived list offers a means to provide input to the > OASIS Virtual I/O Device (VIRTIO) TC. > > In order to verify user consent to the Feedback License terms and > to minimize spam in the list archive, subscription is required > before posting. > > Subscribe: virtio-comment-subscribe@lists.oasis-open.org > Unsubscribe: virtio-comment-unsubscribe@lists.oasis-open.org > List help: virtio-comment-help@lists.oasis-open.org > List archive: https://lists.oasis-open.org/archives/virtio-comment/ > Feedback License: https://www.oasis-open.org/who/ipr/feedback_license.pdf > List Guidelines: https://www.oasis-open.org/policies-guidelines/mailing-lists > Committee: https://www.oasis-open.org/committees/virtio/ > Join OASIS: https://www.oasis-open.org/join/ >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]