1 2 3 Previous Next 30 Replies Latest reply on Feb 26, 2016 1:21 PM by tobyfan

    SR-IOV with ixgbe - spoof packets detected

    shahamf

      Hey All,

       

      I have a VM runs on Cisco server that runs KVM with SR-IOV enabled.

       

      4 VFs are attached to this VM and spoof check is off on all of them.

       

      I still get 'spoofed packets detected' warning all the time

       

                "ixgbe 0000::0c:00.0 eth17: 2 Spoofed packets detected"

       

      I read online that spoof detection is enabled by default (on compilation) on ixgbe driver when SR-IOV is active.

       

      Any idea how to overcome this issue?

       

      If any more information needed please let me know.

       

      Thanks,

      Shaham

        • 1. Re: SR-IOV with ixgbe - spoof packets detected
          vince_intel

          Hi Shaham, please share the ixgbe driver version and network adapter model involved in your setup. In case you're using bonding on the VMs, there's a workaround posted in this thread - Re: Bonding with active-loadbalancing mode on Intel 82599 SRIOV VF within VM. kindly check if it will be helpful.

           

          regards,

          Vince

          • 2. Re: SR-IOV with ixgbe - spoof packets detected
            shahamf

            Hey Vince,

             

            First of all, thanks for the quick response!

             

            My ixgbe driver's version is: 3.15.1-k.

             

            My network adapter is: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection.

             

            In my setup I don't use Bonding, only two VFs of the same PF which are attached to my VM to be used as client & server ports.

             

            Thanks,

            Shaham

            • 3. Re: SR-IOV with ixgbe - spoof packets detected
              Sandy_Intel

              Hi Shaham,

               

              Thank you for providing the details.  I will check on this further.

               

              Sincerely,

               

              Sandy

              • 4. Re: SR-IOV with ixgbe - spoof packets detected
                Sandy_Intel

                Hi Shaham,

                 

                Please refer to the guide below:

                Intel® 82599 SR-IOV Driver Rev 1.00 Driver Companion Guide

                See sections

                7.2 MAC Anti Spoofing

                7.3 VLAN Tag Anti Spoofing

                 

                Feel free to contact us again if you have further questions.

                 

                Sincerely,

                 

                Sandy

                • 5. Re: SR-IOV with ixgbe - spoof packets detected
                  shahamf

                  Hey Sandy,

                   

                  Thanks for the reference. Correct me if I'm wrong but in order to change these MACAS and VLANAS fields (which are mentioned in sections 7.2 & 7.3),

                  one should recompile the driver, right?

                   

                  BTW, when I'm not using VLAN tagging it all works just fine and I suspect that the PF's driver doesn't recognize the VLANs that I defined on the VFs and

                  therefore warns about spoofing.

                   

                  This is my VFs configuration:


                     62: rename62: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000

                           link/ether 00:e0:ed:2c:6c:af brd ff:ff:ff:ff:ff:ff

                           vf 0 MAC 00:00:00:11:11:11, vlan 100, spoof checking off, link-state auto

                           vf 1 MAC 00:00:00:22:22:22, vlan 200, spoof checking off, link-state auto

                           vf 2 MAC 00:00:00:00:00:00, spoof checking off, link-state auto

                           vf 3 MAC 00:00:00:00:00:00, spoof checking off, link-state auto

                   

                  Am I configuring something wrong? Is there a way to make the PF aware of the VLANs defined on the VFs?

                   

                  Thanks,

                  Shaham

                  • 6. Re: SR-IOV with ixgbe - spoof packets detected
                    Sandy_Intel

                    Hi Shaham,

                     

                    Thank you for your updates.  I'll check this and will back with updates.

                     

                    Sincerely,

                     

                    Sandra

                    • 7. Re: SR-IOV with ixgbe - spoof packets detected
                      Sandy_Intel

                      Hi Shaham,

                       

                      Yes,  you are correct. To change the MACAS and VLANAS, it is necessary to recompile the driver.  To further check on your configuration, we would like to request for your system details.  Please provide information below:

                       

                      •Host OS – distro and version number

                      •Host OS dmesg and Linux kernel log

                      •Guest OS- distro and version number

                      •ixgbevf driver version number.

                      •Guest OS dmesg and Linux kernel log

                       

                      Sincerely,

                       

                      Sandy

                      • 8. Re: SR-IOV with ixgbe - spoof packets detected
                        shahamf

                        Hey Sandy,

                         

                        Your quick response is very appreciated!

                         

                        As for the info you requested:

                         

                        1. Host OS:  Ubuntu 14.04.1 LTS

                        2. Guest OS: Ubuntu 12.04.5 LTS

                        3. ixgbevf:  2.11.3-k

                        4. Host & Guest's dmesg & kernel log: http://www.filedropper.com/dmesgkernlog

                         

                        If any more info is needed, please let me know.

                         

                        Thanks,

                        Shaham

                        • 9. Re: SR-IOV with ixgbe - spoof packets detected
                          Sandy_Intel

                          Hi Shaham,

                           

                          Thanks for the details.  We'll check on this.

                           

                          Sincerely,

                           

                          Sandy

                          • 10. Re: SR-IOV with ixgbe - spoof packets detected
                            Sandy_Intel

                            Hi Shaham,

                             

                            Since you are creating VF in the host.  Once the VF’s are created the Host OS loads the ixgbevf driver automatically. 

                            Once the VF driver is loaded in the Host OS it will claim all the VF that it finds on the PCI bus.

                            These VFs are not allowed to be assigned to the VM at this point.

                            So, we believe this is the reason you are experiencing "Spoof Packet Detected” messages.

                             

                            Please follow the procedure below:

                             

                            1. Add “blacklist ixgbevf” to /etc/modprobe.d/blacklist.conf file.

                            2. Load ixgbe driver

                            3. Create VF using pci sysfs interface.

                            4. Assign VF to the VM

                            5. Boot VM

                             

                            This should address Spoof Packet Detection issue.  Please let us know if you need further assistance.

                             

                            Sincerely,

                             

                            Sandy

                            • 11. Re: SR-IOV with ixgbe - spoof packets detected
                              shahamf

                              Hey Sandy,

                               

                              Thanks again for the quick response!

                               

                              I followed the steps mentioned above but yet no luck - I still get spoofed packets.

                               

                              I'll explain exactly what I did step-by-step:

                               

                              1. edited /etc/modprobe.d/blacklist.conf and added at the end-of-file "blacklist ixgbevf".

                               

                              2. rebooted the machine.

                               

                              3. verified ixgbe driver is loaded.


                              4. I ran "echo 2 > /sys/bus/pci/devices/0000\:88\:10.0/sriov_numvfs" in order to create 2 VFs for the eth device I want to use.

                               

                              5. verified the two VFs were actually created, 'lspci | grep Eth' gave the following:

                                            root@laphroaig:~# lspci | grep Eth

                                             02:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)

                                             02:00.1 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)

                                             02:00.2 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)

                                             02:00.3 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)

                                             04:00.0 Ethernet controller: Intel Corporation Ethernet Controller XL710 for 40GbE QSFP+ (rev 01)

                                             04:00.1 Ethernet controller: Intel Corporation Ethernet Controller XL710 for 40GbE QSFP+ (rev 01)

                                             09:00.0 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01)

                                             09:00.1 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01)

                                             0c:00.0 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01)

                                             0c:00.1 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01)

                                             85:00.0 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01)

                                             85:00.1 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01)

                                             88:00.0 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01)

                                             88:00.1 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01)

                                             88:10.0 Ethernet controller: Intel Corporation 82599 Ethernet Controller Virtual Function (rev 01)

                                             88:10.2 Ethernet controller: Intel Corporation 82599 Ethernet Controller Virtual Function (rev 01)


                              6. verified ixgbevf driver is not loaded.

                               

                              7. configured VLAN and SPOOF-CHK on the two generated VFs, so 'ip link show' gives the following:

                                            12: eth14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000

                                                link/ether 00:e0:ed:2c:6c:ae brd ff:ff:ff:ff:ff:ff

                                                vf 0 MAC 00:00:00:00:00:00, vlan 100, spoof checking off, link-state auto

                                                vf 1 MAC 00:00:00:00:00:00, vlan 200, spoof checking off, link-state auto


                              8. defined a new VM and attached these two VFs above to it.

                               

                              9. ran this VM and tried to run traffic via it, but still same issue. 'ip link show' now gives the following (MAC addresses were assigned automatically):

                                            12: eth14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000

                                                link/ether 00:e0:ed:2c:6c:ae brd ff:ff:ff:ff:ff:ff

                                                vf 0 MAC 02:09:c0:93:c6:20, vlan 100, spoof checking off, link-state auto

                                                vf 1 MAC 02:09:c0:1c:58:2e, vlan 200, spoof checking off, link-state auto

                               

                              Am I doing something wrong?

                               

                              Thanks a lot for your patience!

                              Shaham

                              • 12. Re: SR-IOV with ixgbe - spoof packets detected
                                wb_Intel

                                HI Shahamf,

                                 

                                    Thank you for the update. Let me check on this.

                                 

                                rgds,

                                wb

                                • 13. Re: SR-IOV with ixgbe - spoof packets detected
                                  shahamf

                                  Hey wb,

                                   

                                  Is there any update?

                                   

                                  Thanks,

                                  Shaham

                                  • 14. Re: SR-IOV with ixgbe - spoof packets detected
                                    Sandy_Intel

                                    Hi Shaham,

                                     

                                    Thanks for writing back.  We are still checking on your configuration.  Rest assured, we'll update you once we find anything.

                                     

                                    Thank you for your patience and understanding.

                                     

                                    Sincerely,

                                     

                                    Sandy

                                    1 2 3 Previous Next