[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Xen with 'Routing' scripts

  • To: xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
  • From: Roland Paterson-Jones <roland@xxxxxxxxxxxx>
  • Date: Sun, 17 Apr 2005 17:56:01 +0200
  • Delivery-date: Sun, 17 Apr 2005 15:55:22 +0000
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

Nils Toedtmann wrote:

Bridging is not so nice cos it exposes ethernet to the (untrusted) dom-U's.

Not really. In _all_ cases you want to do some [ip|arp|eb]tables stuff
to filter traffic. Nowadays with CONFIG_BRIDGE_NETFILTER filtering and
routing/bridging is almost independant. Whatever topology you take you
can encapsulate the domUs.
Can we ensure that dom-U is not sending ethernet packets with fake destination mac addresses if we're using bridging?

How do we prevent a dom-U filling up our LAN with bogus ethernet addresses?

I guess we want to restrict the dom-U to IP packets with IP/MAC pairs that match previous ARP results. Can ebtables in dom-0 filter this accurately?

To sum it up: You are trying to set up a more complex scenario, several
dom0s hosting different numbers of domU. But you do not want to reserve
IP prefixes to dom0s. My strong recommendation: BRIDGING + fixed MAC/IP
pairs + ebtables filtering those pairs. You may use dhcp if you do not
want to configure each domU. The MAC/IP pairing could be algorithmical
like IP=o1.o2.o3.o4 ==> MAC=FE:00:o1:o2:o3:o4 (this time in hex).
Actually I have played with such an algorithmic MAC/IP pairing in a prototype. But then the aim was to specify the MAC address in the Xen config for the dom-U, let the dom-U use DHCP, and ensure that the DHCP mapped the MAC to the corresponding IP address, all in order that I knew the IP address of the dom-U up front (but let the dom-U use DHCP rather than static for more flexibility etc.).

Bridging is definitely easier to manage than routing. However, given that I'm paranoid about untrusted dom-U's, how can we prevent dom-U's from abusing the ethernet network?

Also, there will be more ARP'ing with bridging, since all the dom-U's will ARP independently (can we short-circuit ARP responses in dom-0?).

Thanks again for your detailed help.

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.