Prevent duplicating a host MAC #77
Comments
|
Hi @dominikholler thanks for the comment right now we don't have that feature in the project |
|
Do you think it would be a good idea to have it? |
|
@dominikholler I guess the only prevention would be to set the MAC range outside of anything that would be assigned to host's interfaces. The host MAC would be likely the MAC of the physical NIC with vendor-based prefix. When we generate a random MAC range, we make it locally administered, so it should not collide with any vendored MAC. We could drop all MACs found on host from the pool, but there can be more devices with MAC addresses on the network. The only solution for this is IMHO setting proper dedicated range. |
Nice approach.
Is there the possibility to create (e.g. custom, imported or vNICs created on another range) MACs outside the range ? |
We don't limit users from hurting themselves. If somebody explicitly sets a MAC address request, we respect that. |
This would mean a user, who is allowed to create a vNIC, is able to kick a host. |
|
That's a good point. The host can be kicked only if the user is given access to the management network. MAC address would not be the only threat in that case, would it? I think that the administrator has to either trust the user not to break the network or put them behind a VLAN. Having a parameter to allow/block custom MAC setting would not hurt though. |
Is there a protection to prevent a that a MAC address of a (nmstate) managed interface of a physical host is taken by a VM?
The text was updated successfully, but these errors were encountered: