[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Successful IPv6 Xen Deployment; Protection Against IPv4 ARP Poisoning Attacks

  • To: xen-devel@xxxxxxxxxxxxxxxxxxx
  • From: "Teck Choon Giam" <giamteckchoon@xxxxxxxxx>
  • Date: Sat, 11 Oct 2008 02:19:32 +0800
  • Delivery-date: Fri, 10 Oct 2008 11:19:55 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=vF2YgZUEmlzG3Z/cX3BVXpDkNc6tQTG94jeOMnpaAAms28c260D9FCBhZf2NChIXja AH27RVWQqtafxssoXHY2pyL6Ya9bwGiybX3/qNRFS8u/tceMXj7oNvMW1yM+ogOFPZuw x+btx2/glKpNNjThOKgFJuMCxs++Pj/vYItzo=
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>

On Fri, Oct 10, 2008 at 4:09 AM, Cory Von Wallenstein
<cvonwallenstein@xxxxxxxxxxx> wrote:
> I apologize folks for not getting back to the list in a timely matter. Alas, 
> duty called.

No apology is needed.  Greatly appreciate your sharing/contribution :)

> I've put together a guide, as well as my patches, for:
> a) Getting IPv6 anti-spoofing to work.
> b) Preventing ARP poisoning attacks that can bring down IPv4 communication on 
> a subnet.
> c) Preventing IPv4 packet sniffing.
> The guide walking through the "method to my madness" is on my engineering 
> blog:
> http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/

Nice blog and many thanks for your effort to put up such informative
blog related to Xen.

> The modified networking scripts are vif-common.sh, vif-bridge, and 
> network-bridge. Diffs are attached. By no means do I consider these "THE 
> answer", but have worked well for what we have in the field, and I welcome 
> suggestions for improvements.

I have a suggestion since I just tried your patches in one of my test
server.  All my servers are with two NICs at least and running with
xen-3.3.0.  I encountered domU can't be started and when I check
/var/log/xen/xen-hotplug.log as below:

/etc/xen/scripts/vif-common.sh: line 261: [: : unary operator expected
Nothing to flush.
cat: /etc/xen/domU.cfg: No such file or directory
Nothing to flush.
/etc/xen/scripts/vif-common.sh: line 261: [: : unary operator expected
Nothing to flush.
Nothing to flush.
cat: /etc/xen/domU.cfg: No such file or directory
/etc/xen/scripts/vif-common.sh: line 261: [: : unary operator expected

So in vif-common.sh I modified from yours as below:

DOMU_CONFIG=`cat /etc/xen/${DOMU_NAME}.cfg`


if [ -f "/etc/xen/${DOMU_NAME}" ] ; then
    DOMU_CONFIG=`cat /etc/xen/${DOMU_NAME}`
elsif [ -f "/etc/xen/${DOMU_NAME}.cfg" ] ; then
    DOMU_CONFIG=`cat /etc/xen/${DOMU_NAME}.cfg`

After the above changes, I am able to start my domU as per normal.  I
am using /etc/xen/${DOMU_NAME} instead of with .cfg extension for my
domU config files.

Once again, thanks.

Kindest regards,
Giam Teck Choon

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.