Intel Malicious Driver Detection (MDD) Event (i40en)

최근의 ESXi 버전에서는 Legacy driver 가 아닌 Native Driver 사용을 권장하고 있습니다. Next numbered release 에서는 더이상 Legacy Driver 가 사용되지 않을 예정이기도 하구요.

Intel X710 카드등에서 사용되는 Driver 가 Intel i40en 인데요, 1.5.8 이전의 버전에서는 (Malicious Driver Detection)MDD 라는 이슈가 존재했습니다.

vmkernel log 상에서 이러한게 발견되는데요, 문제는 이 증상이 발생하면 해당 호스트의 VM 들의 network connectivity 가 끊어집니다. 

2018-04-27T03:35:12.402Z cpu35:66238)i40en: i40en_HandleMddEvent:6969: Malicious Driver Detection event 0x02 on TX queue 0 PF number 0x00 VF number 0x00
2018-04-23T10:14:59.747Z cpu49:66236)i40en: i40en_HandleMddEvent:6969: Malicious Driver Detection event 0x02 on TX queue 0 PF number 0x00 VF number 0x00
2018-04-27T03:35:51.928Z cpu9:66238)i40en: i40en_HandleMddEvent:6969: Malicious Driver Detection event 0x02 on TX queue 0 PF number 0x00 VF number 0x00

 

그동안 이 문제에 대한 수정이  ESXi 6.7 버전에서만 되고, ESXi 6.0/6.5 에 대안 대응이 이루어지지 않고 있었는데 얼마전에 Intel 에서 i40en 1.7.11 버전을 release 하였습니다. 크게 MDD 이슈와 LLDP Agent 이슈에 대해서 fix 가 이루어진것 같습니다. Release note 는 다음과 같습니다.

  • Malicious Driver Detection (MDD)
    • Malicious Driver Detection feature protects NIC from malformed packets or any other hostile actions which may be performed by drivers operating with the NIC (accidentally or deliberately)
    • In case of detecting Malicious Driver event, driver reacts in below ways:
      •  if the source of the MDD event was i40en driver (Physical Function [PF] driver), hardware is reset;
      •  if the source of the MDD event was Virtual Machine’s SR-IOV driver (Virtual Function [VF] driver), suspected VF is disabled after 4th such event – malicious VM SR-IOV adapter becomes unavailable. To bring it back, VM reboot or VF driver reload is required.
  • LLDP Agent
    • Link Layer Discovery Protocol (LLDP) supports Intel X710 and XL710 adapters with FW 6.0 and later
      as well as X722 adapters with FW 3.10 and later.
    • Set LLDP driver load param to allow or disallow LLDP frames forwarded to the network stack
      • LLDP agent is enabled in firmware by default (Default FW setting)
      • Set LLDP=0 to disable LLDP agent in firmware
      • Set LLDP=1 to enable LLDP agent in firmware
      • Set LLDP to anything other then 0 or 1 will fallback to the default setting (LLDP enabled in firmware)
      • LLDP agent is always enabled in firmware when MFP (Multi Functional Port, i.e. NPAR) is enabled, regardless of the driver parameter LLDP setting.
    • When the LLDP agent is enabled in firmware, the ESXi OS will not receive LLDP frames and Link Layer
      Discovery Protocol information will not be available on the physical adapter inside ESXi.
    • Please note that the LLDP driver module parameter is an array of values. Each value represents LLDP agent setting for a physical port.

꼭 드라이버 업그레이드 하시기 바랍니다. 굉장히 critical 하거든요.. 

다운로드 링크 : https://my.vmware.com/web/vmware/details?downloadGroup=DT-ESXI60-INTEL-I40EN-1711&productId=491

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다