Enable spoofchk control for SR-IOV ports¶
Allow user to control setting of MAC spoof checking for the SR-IOV ports.
Support for SR-IOV ports appeared in Neutron Juno and allows allows VMs to access virtual network via SR-IOV VFs. SR-IOV ports in Linux allow specification of whether source MAC spoof checking should be enabled or disabled for them. This can be done, for example, using the ip-link(8) tool:
ip link set eth0 vf 2 spoofchk off
This command disables spoof checking for Virtual Function 2 on Physical Device ‘eth0’.
This feature is useful for bonding configurations inside guests. For example, MAC spoof checking should be disabled for 802.3ad (Dynamic link aggregation) bonds. Please see the ‘Configuring QoS Features with Intel Flexible Port Partitioning’ whitepaper for more details, link is available in the ‘References’ section.
The proposal is to leverage the port security extension. Specifically, for ‘direct’ types of ports port_security_enabled = False would mean that spoof checking should be disabled.
Actual setting for the VF will be done by the sriovnicagent using the ip-link(8) tool.
Default value for the spoof checking will be enabled, so the change will not affect a default behavior.
Data Model Impact¶
REST API Impact¶
That could have a security impact if user disables spoof checking for a specific port, however it is expected and user can manually decide if that’s applicable for his configuration.
As spoof checking is enabled by default, there would be no security impact with the default setting.
Other End User Impact¶
And user will have a facility to control spoof checking settings on specific Neutron ports.
- python-neutronclient does not need to be modified
It’ll have a slight impact on the sriovagent as it’ll have to run one more external command (ip-link(8)).
Other Deployer Impact¶
This changes has not been discussed so far.
Another possible way of providing control to user is to introduce a dedicated attribute for spoof checking instead of ‘port_security_enabled’ from the portsecurity extension. It could be named ‘spoofchk’ and be placed either into portsecurity extension or into portbindings extension.
- Primary assignee:
- Modify sriovagent to be able to enable or disable spoof checking based on user setting
- Verify on API level and in binding handling routines that sriovagent is not disabled as it being turned off would not allow to meet user’s expectation.
Tempest tests are not planned currently as SR-IOV hardware is not always available. 3rd party CI testing could be considered, though probably the feature is relatively minor for that.
API tests would be added to cover specifics of port_security for ‘direct’ type of ports.
User documentation will be updated with information about spoof checking control for ‘direct’ ports and its security considerations.