[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-API] CP-3477: Make xapi listen on all dom0 IP addresses

  • To: 'Rushikesh Jadhav' <2rushikeshj@xxxxxxxxx>
  • From: Rob Hoes <Rob.Hoes@xxxxxxxxxx>
  • Date: Fri, 21 Jun 2013 10:35:26 +0000
  • Accept-language: en-GB, en-US
  • Cc: "xen-api@xxxxxxxxxxxxx" <xen-api@xxxxxxxxxxxxx>
  • Delivery-date: Fri, 21 Jun 2013 10:35:39 +0000
  • List-id: User and development list for XCP and XAPI <xen-api.lists.xen.org>
  • Thread-index: AQHObgls4pwn7emBy0CUhhi3LqHEepk/8riA
  • Thread-topic: CP-3477: Make xapi listen on all dom0 IP addresses

Hi Rushikesh,


You’re right that, since XCP1.6, xapi listens on all IP addresses ( We made this change to simplify the HTTP server in xapi. Making it independent of a particular IP address meant that we no longer need to restart the HTTP server when the management IP is configured or changes, which is something that got a lot more complex when we added experimental IPv6 support last year.


It is still the case that only the interface that is designated to be the management interface is used for management traffic inside a pool.


Xapi now does the same thing as other common services, such as sshd, which also listen on all IP addresses. If you want to further restrict access, I think it is best to use iptables rules to block traffic to ports 80 and 443 on the non-management IPs. Also note that people need to authenticate with xapi before they can do anything.


Could you describe your security issue in a bit more detail? What is your reason for having multiple IP addresses on dom0? Is there anything/anyone on those networks that cannot be trusted?





From: Rushikesh Jadhav [mailto:2rushikeshj@xxxxxxxxx]
Sent: 20 June 2013 11:56 PM
To: xen-api@xxxxxxxxxxxxx
Cc: Rob Hoes
Subject: CP-3477: Make xapi listen on all dom0 IP addresses


Hi All & Rob,


I think there is a security issue where XAPI is exposed on all available interfaces as well as all IPs of dom0. Currently XCP1.6 xapi listens on all IPs. Default


XCP1.1 used the correct interface and IP.


What alternative one has if he wants to make XAPI listen only on management network since management network is created for such purpose.


For now, I have patched the xapissl from init.d to make it listen only on MANAGEMENT_INTERFACE ip.



Xen-api mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.