[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Xen with 'Routing' scripts

Am Freitag, den 15.04.2005, 14:59 +0200 schrieb Roland Paterson-Jones:
> Nils, thanks for the great response.
> Some more details: we have a network of dom-0's that will host a number 
> of dom-U's.
> We need dynamic addressing, so proxy-arp sounds the simplest for us 
> (simpler than full-on routing, that is).

Maybe not: at least the dom0 needs hostroutes for the domUs it is
hosting onto the vif* devices. Otherwise it won't proxyarp.

> Bridging is not so nice cos it exposes ethernet to the (untrusted) dom-U's.

Not really. In _all_ cases you want to do some [ip|arp|eb]tables stuff
to filter traffic. Nowadays with CONFIG_BRIDGE_NETFILTER filtering and
routing/bridging is almost independant. Whatever topology you take you
can encapsulate the domUs.

> We can't use NAT cos we want the dom-U's to be externally addressable.

Would still be possible with DNAT (for example any dom0 hosting n domUs
needs n+1 IPs, n of them DNATed), but that would be _really_ _ugly_! You
are right not to do that ;)

> Something I'm still unclear on - we don't want to reserve dom-U 
> addresses for each dom-0 (it'll be wasteful), so we want dom-U to use 
> DHCP. But then we've got to do DHCP relaying in dom-0, I think, and 
> capture the dom-U IP address, unless there's a better way.

dhcrelay(8) is your friend, but indeed dom0 must somehow be informed
about the combination IP-adress/virtual-interface (and if you want
filtering: MAC) to set the hostroute. And that hostroute has to be
deleted when the domU shuts down ... so:

  (a) turn on a RIP/OSPF routing daemon on all domUs and all dom0s
  (b) or: patch dhcrelay to set the hostroute (but on shutdown?)
  (c) or: dom0 catches dhcp traffic on vif* devices and parses it

(a) is overkill and insecure, (b) & (c) are evel & ugly!

> Another thing that's confusing me is that I expect there should be a 
> left-hand (dom-0) and right-hand (dom-U) address for each of the vif's 
> in routing mode, but I see only the one address in the scripts.

That's ok. There are again two possibilities (at least): 

* the vif* are up, the corrosponding domU-eth0 have IPs in the same
  subnet, dom0 has hostroutes for those domU-IPs onto the according
  vif*. In this case, it does not matter if the vif* have an IP at all.
  dom0 has proxy-arp activated.

* each dom0-vif/domU-eth0 pair is configured in a different transport-
  subnet, eg vif1.0=, eth0(dom1)=,
  vif2.0=, eth0(dom2)=

I don't know what the xend routing scripts actually do. You may fire up
two domUs and send me the output of "/sbin/ip addr" and "/sbin/ip route"
then i'll tell.

> I hope this makes sense - as you might have noticed I'm approaching this 
> from first principles. I'm sure I'll get there in the end :(

To sum it up: You are trying to set up a more complex scenario, several
dom0s hosting different numbers of domU. But you do not want to reserve
IP prefixes to dom0s. My strong recommendation: BRIDGING + fixed MAC/IP
pairs + ebtables filtering those pairs. You may use dhcp if you do not
want to configure each domU. The MAC/IP pairing could be algorithmical
like IP=o1.o2.o3.o4 ==> MAC=FE:00:o1:o2:o3:o4 (this time in hex).

Everthing else (like proxyarp + dhcrelay) will get too fast too complex.
For example you could do dhcp & real dynamic routing, but then every
domU has to run a routing daemon announcing its IP, so a malicious domU
could redirect all traffic to itself. Or you have to do some evil hack
to pass routing information from dhcp to the dom0s.

Just my 2c. /nils.

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.