[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Xen with 'Routing' scripts

To: xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
From: Roland Paterson-Jones <roland@xxxxxxxxxxxx>
Date: Sun, 17 Apr 2005 17:56:01 +0200
Delivery-date: Sun, 17 Apr 2005 15:55:22 +0000
List-id: Xen user discussion <xen-users.lists.xensource.com>



Nils Toedtmann wrote:

Bridging is not so nice cos it exposes ethernet to the (untrusted) dom-U's.


Not really. In _all_ cases you want to do some [ip|arp|eb]tables stuff
to filter traffic. Nowadays with CONFIG_BRIDGE_NETFILTER filtering and
routing/bridging is almost independant. Whatever topology you take you
can encapsulate the domUs.

Can we ensure that dom-U is not sending ethernet packets with fakedestination mac addresses if we're using bridging?


How do we prevent a dom-U filling up our LAN with bogus ethernet addresses?

I guess we want to restrict the dom-U to IP packets with IP/MAC pairsthat match previous ARP results. Can ebtables in dom-0 filter thisaccurately?

To sum it up: You are trying to set up a more complex scenario, several
dom0s hosting different numbers of domU. But you do not want to reserve
IP prefixes to dom0s. My strong recommendation: BRIDGING + fixed MAC/IP
pairs + ebtables filtering those pairs. You may use dhcp if you do not
want to configure each domU. The MAC/IP pairing could be algorithmical
like IP=o1.o2.o3.o4 ==> MAC=FE:00:o1:o2:o3:o4 (this time in hex).

Actually I have played with such an algorithmic MAC/IP pairing in aprototype. But then the aim was to specify the MAC address in the Xenconfig for the dom-U, let the dom-U use DHCP, and ensure that the DHCPmapped the MAC to the corresponding IP address, all in order that I knewthe IP address of the dom-U up front (but let the dom-U use DHCP ratherthan static for more flexibility etc.).

Bridging is definitely easier to manage than routing. However, giventhat I'm paranoid about untrusted dom-U's, how can we prevent dom-U'sfrom abusing the ethernet network?

Also, there will be more ARP'ing with bridging, since all the dom-U'swill ARP independently (can we short-circuit ARP responses in dom-0?).


Thanks again for your detailed help.
Roland



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

References:
- [Xen-users] Xen with 'Routing' scripts
  - From: Roland Paterson-Jones
- Re: [Xen-users] Xen with 'Routing' scripts
  - From: Roland Paterson-Jones
- Re: [Xen-users] Xen with 'Routing' scripts
  - From: Nils Toedtmann

Prev by Date: Re: [Xen-users] xend startup problem (xen 2.0.5)
Next by Date: RE: [Xen-users] Xen with 'Routing' scripts
Previous by thread: Re: [Xen-users] Xen with 'Routing' scripts
Next by thread: RE: [Xen-users] Xen with 'Routing' scripts
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.