[dpdk-dev] SR-IOV - Spoofed packets detected on Intel Corporation 82599EB 2-port 10G NIC Card

Edison So edison.so2 at gmail.com
Tue May 8 15:16:53 CEST 2018


Hello,

I have a question about disabling anti-MAC spoofing feature on  Intel
82599EB 2-port 10G NIC Card.

Below is the description of the issue.

*DPDK Version*

17.02

*Background*

1.    I installed ESXi 6.5 on a Dell PowerEdge R630 with a 2-port 82599EB
10G NIC.

2.    I installed two CentOS 7 VMWare VMs with DPDK.

*DPDK Verification*



On each VM running DPDK, I checked:

./dpdk-devbind.py --status



Network devices using DPDK-compatible driver

============================================

*0000:0b:00.0 '82599 Ethernet Controller Virtual Function' drv=igb_uio
unused=*



Network devices using kernel driver

===================================

0000:13:00.0 'VMXNET3 Ethernet Controller' if=eno33559296 drv=vmxnet3
unused=igb_uio *Active*



Other network devices

=====================

<none>



Crypto devices using DPDK-compatible driver

===========================================

<none>



Crypto devices using kernel driver

==================================

<none>



Other crypto devices

====================

<none>

On the VM, I used testpmd to disable MAC anti-spoofing and got an error:

testpmd> set vf mac antispoof 0 0 off

function not implemented

testpmd>



*SR-IOV Configuration on ESXi for each VM*

1.    I am using SR-IOV on the NIC ports. On each of the VM, I created a
new network adapter on the first VM as follows with *one* Virtual Function.

A.    Network Adapter 1: *10G port group 1*

§  Adapter Type: *SR-IOV passthrough*

§  Physical function: *82599EB 10-Gigabit SFI/SFP+ Network Connection -
0000:82:00.0*

§  MAC Address: *Automatic*

§  Guest OS MTU Change: *Disallow*

2.    On top of the creation of the new adapter, I also reserved some
memory as required by SR-IOV.

3.    I did the same on the second VM.

B.    Network Adapter 1: *10G port group 2*

§  Adapter Type: *SR-IOV passthrough*

§  Physical function: *82599EB 10-Gigabit SFI/SFP+ Network Connection -
0000:82:00.1*

§  MAC Address: *Automatic*

§  Guest OS MTU Change: *Disallow*

4.    Of course, each 10G port group is linked to a standard virtual group
which in turn is linked to a 82599EB 10G port (Uplink Port)

*Traffic Generation*

1.    I have a PCAP file which has packets with different MAC addresses
than the DPDK interface on the first VM.

2.    I generated a constant traffic from the first VM to the second VM
using the PCAP file and none was received on the second VM.

3.    I sshed to the ESXI host and ran *dmesg* and got the following error
messages repeatedly:

*2018-05-04T23:39:00.679Z cpu31:66145)<4>ixgbe 0000:82:00.0: vmnic4: 512
Spoofed packets detected*

4.    I googled this error and somewhat have concluded that this error may
have something to do with the *MAC Spoofing* feature on the 82599EB 10G NIC
card. How do I disable it?

5.    The 82599EB 10G NIC card using *esxcli* (on ESXi host) displays the
following information:



[root at vm:/vmfs/volumes/5acbc358-de2034d6-5472-90e2bac73ffc/VM1] *esxcli
network nic get -n vmnic4*

   Advertised Auto Negotiation: true

   Advertised Link Modes: 1000BaseT/Full, 10000BaseT/Full

   Auto Negotiation: true

   Cable Type: FIBRE

   Current Message Level: 7

   Driver Info:

         Bus Info: 0000:82:00.0

         Driver: ixgbe

         Firmware Version: 0x61bd0001

         Version: 3.7.13.7.14iov-NAPI

   Link Detected: true

   Link Status: Up

   Name: vmnic4

   PHYAddress: 0

   Pause Autonegotiate: true

   Pause RX: true

   Pause TX: true

   Supported Ports: FIBRE

   Supports Auto Negotiation: true

   Supports Pause: true

   Supports Wakeon: false

   Transceiver: external

   Virtual Address: 00:50:56:55:91:0c

   Wakeon: None



*Questions*

1. Is MAC anti-spoofing supported in DPDK version 17.02? If not, which
version supports MAC anti-spoofing? If supported, how can I disable it?

2. How do I determine the port id and vf id?


Your help is greatly appreciated.


More information about the dev mailing list