Intel is not alone in considering enabling this a security risk. As I've said if you and your company want to assume the security risk you are by all means able to do it. You should do it if it make sense for you. Having the ability to enable it allows for mis-configurations opening the security holes for users that might not be as experienced as they should be. This has been discussed a lot here and even with some customers of the virtualization technologies and the outcome was that the risk is too high to give the ability to enable generically.
If you want to do this in your product you are by no means prevented from doing so. I've been saying this all along. Cheers, John > -----Original Message----- > From: Stephen Hemminger [mailto:[email protected]] > Sent: Thursday, August 05, 2010 3:28 PM > To: Ronciak, John > Cc: Julian Stecklina; [email protected] > Subject: Re: [E1000-devel] igbvf doesn't support promiscuous mode? > > On Thu, 5 Aug 2010 15:04:14 -0700 > "Ronciak, John" <[email protected]> wrote: > > > Sorry, typo in the message. Should be: > > So the long story short is that we will _not_ be considering adding > > support for this due to the security risks that this would enable. I > > hope you can see the issues involved for us. > > I don't like vendors making security choices for users. It seems to me > like health and safety regulations on cars. > > In a virtual environment, promiscuous mode should be under control of > the hypervisor. If the HV wants to create a VF interface that allows > promiscuous and give that to a VM, then it should be able to (on a VF > by VF basis). It shouldn't be up the Guest VM what the settings of the > VF are. > > It matters to Vyatta, because we have users that deploy with doing > firewall, bridging, etc in a guest VM. In these cases, it makes sense > to allow one VF for the virtual router and another VF for other uses > without promiscuous support. ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ E1000-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/e1000-devel To learn more about Intel® Ethernet, visit http://communities.intel.com/community/wired
