[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Xen with 'Routing' scripts
Nils Toedtmann wrote: Can we ensure that dom-U is not sending ethernet packets with fake destination mac addresses if we're using bridging?Bridging is not so nice cos it exposes ethernet to the (untrusted) dom-U's.Not really. In _all_ cases you want to do some [ip|arp|eb]tables stuff to filter traffic. Nowadays with CONFIG_BRIDGE_NETFILTER filtering and routing/bridging is almost independant. Whatever topology you take you can encapsulate the domUs. How do we prevent a dom-U filling up our LAN with bogus ethernet addresses?I guess we want to restrict the dom-U to IP packets with IP/MAC pairs that match previous ARP results. Can ebtables in dom-0 filter this accurately? Actually I have played with such an algorithmic MAC/IP pairing in a prototype. But then the aim was to specify the MAC address in the Xen config for the dom-U, let the dom-U use DHCP, and ensure that the DHCP mapped the MAC to the corresponding IP address, all in order that I knew the IP address of the dom-U up front (but let the dom-U use DHCP rather than static for more flexibility etc.).To sum it up: You are trying to set up a more complex scenario, several dom0s hosting different numbers of domU. But you do not want to reserve IP prefixes to dom0s. My strong recommendation: BRIDGING + fixed MAC/IP pairs + ebtables filtering those pairs. You may use dhcp if you do not want to configure each domU. The MAC/IP pairing could be algorithmical like IP=o1.o2.o3.o4 ==> MAC=FE:00:o1:o2:o3:o4 (this time in hex). Bridging is definitely easier to manage than routing. However, given that I'm paranoid about untrusted dom-U's, how can we prevent dom-U's from abusing the ethernet network? Also, there will be more ARP'ing with bridging, since all the dom-U's will ARP independently (can we short-circuit ARP responses in dom-0?). Thanks again for your detailed help. Roland _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |