Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 19 May 2025 10:34:56 +0200
From:      Kristof Provost <kp@FreeBSD.org>
To:        Shawn Webb <shawn.webb@hardenedbsd.org>
Cc:        Mitchell Horne <mhorne@freebsd.org>, Lexi Winter <ivy@freebsd.org>, src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org
Subject:   Re: git: b61850c4e6f6 - main - bridge(4): default net.link.bridge.member_ifaddrs to false
Message-ID:  <FBBF4097-FC6E-4B9B-B6F6-D7735CE2EAEF@FreeBSD.org>
In-Reply-To: <ujaozh75ualvll62xplvsixea45txr5ms34s3oqgnqe3g4fzcj@rkbwovdqwx57>
References:  <202505150004.54F04FhR046897@gitrepo.freebsd.org> <d839f137-b43b-416b-968f-439301f0a5c6@freebsd.org> <C5E86940-9C1B-428B-980B-693FE92E7AED@FreeBSD.org> <94441836-bb03-4c80-b603-aaa2997c4d29@freebsd.org> <ujaozh75ualvll62xplvsixea45txr5ms34s3oqgnqe3g4fzcj@rkbwovdqwx57>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 18 May 2025, at 22:39, Shawn Webb wrote:
> I wonder if there is any security difference between DHCP on the
> physical interface versus the bridge. Having the bridge grab an IP via
> DHCP (or IPv6 SLAAC/DHCPv6) means that VMs much be trusted. If a VM is
> compromised, a threat actor could redirect traffic on the host by
> running their own DHCP service in the compromised VM.
>
> The question I have, though, is: is this an issue when the physical
> interface is used instead of the bridge for grabbing a dynamic IP?
>
> So, I guess I'm asking, is there any security difference between the
> following two configs:
>
> =3D=3D=3D=3D BEGIN CONFIG 1 =3D=3D=3D=3D
> ifconfig_re0=3D"DHCP"
> cloned_interfaces=3D"bridge0 tap0"
> ifconfig_bridge0=3D"addm re0 addm tap0"
> =3D=3D=3D=3D END CONFIG 1 =3D=3D=3D=3D
>
> =3D=3D=3D=3D BEGIN CONFIG 2 =3D=3D=3D=3D
> ifconfig_re0=3D"up"
> cloned_interfaces=3D"bridge0 tap0"
> ifconfig_bridge0=3D"DHCP addm re0 addm tap0"
> synchronous_dhclient=3D"YES"
> =3D=3D=3D=3D END CONFIG 2 =3D=3D=3D=3D
>
I=E2=80=99ve not actually tested it, but given that ether_output() (which=
 is going to be the ifp->if_output for most interfaces) does this: https:=
//cgit.freebsd.org/src/tree/sys/net/if_ethersubr.c#n417
(i.e. it outputs via if_bridge=E2=80=99s code rather than directly) I bel=
ieve this doesn=E2=80=99t make any difference at all.

=E2=80=94
Kristof

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FBBF4097-FC6E-4B9B-B6F6-D7735CE2EAEF>