|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Xen with 'Routing' scripts
Am Freitag, den 15.04.2005, 14:59 +0200 schrieb Roland Paterson-Jones: > Nils, thanks for the great response. > > Some more details: we have a network of dom-0's that will host a number > of dom-U's. > > We need dynamic addressing, so proxy-arp sounds the simplest for us > (simpler than full-on routing, that is). Maybe not: at least the dom0 needs hostroutes for the domUs it is hosting onto the vif* devices. Otherwise it won't proxyarp. > Bridging is not so nice cos it exposes ethernet to the (untrusted) dom-U's. Not really. In _all_ cases you want to do some [ip|arp|eb]tables stuff to filter traffic. Nowadays with CONFIG_BRIDGE_NETFILTER filtering and routing/bridging is almost independant. Whatever topology you take you can encapsulate the domUs. > We can't use NAT cos we want the dom-U's to be externally addressable. Would still be possible with DNAT (for example any dom0 hosting n domUs needs n+1 IPs, n of them DNATed), but that would be _really_ _ugly_! You are right not to do that ;) > Something I'm still unclear on - we don't want to reserve dom-U > addresses for each dom-0 (it'll be wasteful), so we want dom-U to use > DHCP. But then we've got to do DHCP relaying in dom-0, I think, and > capture the dom-U IP address, unless there's a better way. dhcrelay(8) is your friend, but indeed dom0 must somehow be informed about the combination IP-adress/virtual-interface (and if you want filtering: MAC) to set the hostroute. And that hostroute has to be deleted when the domU shuts down ... so: (a) turn on a RIP/OSPF routing daemon on all domUs and all dom0s (b) or: patch dhcrelay to set the hostroute (but on shutdown?) (c) or: dom0 catches dhcp traffic on vif* devices and parses it (a) is overkill and insecure, (b) & (c) are evel & ugly! > Another thing that's confusing me is that I expect there should be a > left-hand (dom-0) and right-hand (dom-U) address for each of the vif's > in routing mode, but I see only the one address in the scripts. That's ok. There are again two possibilities (at least): * the vif* are up, the corrosponding domU-eth0 have IPs in the same subnet, dom0 has hostroutes for those domU-IPs onto the according vif*. In this case, it does not matter if the vif* have an IP at all. dom0 has proxy-arp activated. * each dom0-vif/domU-eth0 pair is configured in a different transport- subnet, eg vif1.0=192.168.1.1/30, eth0(dom1)=192.168.1.2/30, vif2.0=192.168.1.5/30, eth0(dom2)=192.168.1.6/30 I don't know what the xend routing scripts actually do. You may fire up two domUs and send me the output of "/sbin/ip addr" and "/sbin/ip route" then i'll tell. > I hope this makes sense - as you might have noticed I'm approaching this > from first principles. I'm sure I'll get there in the end :( To sum it up: You are trying to set up a more complex scenario, several dom0s hosting different numbers of domU. But you do not want to reserve IP prefixes to dom0s. My strong recommendation: BRIDGING + fixed MAC/IP pairs + ebtables filtering those pairs. You may use dhcp if you do not want to configure each domU. The MAC/IP pairing could be algorithmical like IP=o1.o2.o3.o4 ==> MAC=FE:00:o1:o2:o3:o4 (this time in hex). Everthing else (like proxyarp + dhcrelay) will get too fast too complex. For example you could do dhcp & real dynamic routing, but then every domU has to run a routing daemon announcing its IP, so a malicious domU could redirect all traffic to itself. Or you have to do some evil hack to pass routing information from dhcp to the dom0s. Just my 2c. /nils. _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |