Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 19 May 2025 10:34:56 +0200
From:      Kristof Provost <kp@FreeBSD.org>
To:        Shawn Webb <shawn.webb@hardenedbsd.org>
Cc:        Mitchell Horne <mhorne@freebsd.org>, Lexi Winter <ivy@freebsd.org>, src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org
Subject:   Re: git: b61850c4e6f6 - main - bridge(4): default net.link.bridge.member_ifaddrs to false
Message-ID:  <FBBF4097-FC6E-4B9B-B6F6-D7735CE2EAEF@FreeBSD.org>
In-Reply-To: <ujaozh75ualvll62xplvsixea45txr5ms34s3oqgnqe3g4fzcj@rkbwovdqwx57>
References:  <202505150004.54F04FhR046897@gitrepo.freebsd.org> <d839f137-b43b-416b-968f-439301f0a5c6@freebsd.org> <C5E86940-9C1B-428B-980B-693FE92E7AED@FreeBSD.org> <94441836-bb03-4c80-b603-aaa2997c4d29@freebsd.org> <ujaozh75ualvll62xplvsixea45txr5ms34s3oqgnqe3g4fzcj@rkbwovdqwx57>
next in thread | previous in thread | raw e-mail | index | archive | help 

On 18 May 2025, at 22:39, Shawn Webb wrote:
> I wonder if there is any security difference between DHCP on the
> physical interface versus the bridge. Having the bridge grab an IP via
> DHCP (or IPv6 SLAAC/DHCPv6) means that VMs much be trusted. If a VM is
> compromised, a threat actor could redirect traffic on the host by
> running their own DHCP service in the compromised VM.
>
> The question I have, though, is: is this an issue when the physical
> interface is used instead of the bridge for grabbing a dynamic IP?
>
> So, I guess I'm asking, is there any security difference between the
> following two configs:
>
> ==== BEGIN CONFIG 1 ====
> ifconfig_re0="DHCP"
> cloned_interfaces="bridge0 tap0"
> ifconfig_bridge0="addm re0 addm tap0"
> ==== END CONFIG 1 ====
>
> ==== BEGIN CONFIG 2 ====
> ifconfig_re0="up"
> cloned_interfaces="bridge0 tap0"
> ifconfig_bridge0="DHCP addm re0 addm tap0"
> synchronous_dhclient="YES"
> ==== END CONFIG 2 ====
>
I’ve not actually tested it, but given that ether_output() (which is going to be the ifp->if_output for most interfaces) does this: https://cgit.freebsd.org/src/tree/sys/net/if_ethersubr.c#n417
(i.e. it outputs via if_bridge’s code rather than directly) I believe this doesn’t make any difference at all.

—
Kristof

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FBBF4097-FC6E-4B9B-B6F6-D7735CE2EAEF>