Comment 0 for bug 1797575

As explain in http://www.mulix.org/pubs/misc/sriovsec-tr.pdf an attacker that has been assigned a VF of a NIC for its VM can block the network access for all the VMs using a VF of the same card by sending control flow PAUSE commands at the right interval.

The attack is described as hard to detect, easy to implement and absolutely efficient (throughput drops to 0).

A VF of a SR-IOV virtualized NIC can be assigned via pci aliases or with neutron ports.

I suppose with a VF assigned via a nova pci-passthrough these PAUSE commands would block the network. Would it be the case as well using the neutron port method ?

I don't have enough knowledge on neutron's functioning to see if these threats are serious or not, and I do not have the set up to test this myself.