[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Networking privacy and DomU

Am Montag, 9. Januar 2006 21:56 schrieb John A. Sullivan III:
> On Mon, 2006-01-09 at 16:31 +0100, Martin Dziobek wrote:
> > Hello All,
> >
> > I'm not seeing the wood for trees ...
> >
> > In Xen 3.0 with standard setup (1 Dom 0, several
> > Dom U),how can I prevent a DomU from reading
> > the other DomUs network traffic with a sniffer ?
> > Can I use bridging at all ?
>
> <snip>
> That's a very interesting question.  I have not explored this in any
> detail but, it seems to me upon casual observation, that a domU cannot
> put the hardware NIC into promiscuous mode.  I have tried to do this
> when troubleshooting various network problems.  I have launched tcpdump
> in a domU and it does not appear to see all traffic -- only traffic
> destined for the domU address.
>
> Again, I did not try to work around it or even completely confirm that
> was the case but it is my casual observation.  Perhaps since it is
> indeed a bridge, it is like plugging a protocol analyzer into a switch
> port -- one only sees broadcast traffic and the unicast traffic for that
> port.  I suppose one could use arp poisoning to see other traffic but
> that would be true of any switch - John

a multiport bridge is a switch, at least that was what I was told in 
school ;-P

a bridge isn't like a hub, a bridge knows which MAC belongs to which port in 
the brige. If traffic for MAC A arrives one end of the bridge, the bridge 
will forward it only to the correct port (as long as it knows on which Port 
MAC A is). So tcpdumping (even in promisc) mode isn't working here really, 
because you will only see your own traffic + broadcast traffic like arp 
requests and so on. Promisc mode only works on hubs and other dump network 
equipment.

If you want to see traffic that doesn't belong to your own port then you have 
to do arp posioning or stuff like that. But this is an attack that works on 
every switch. You can protect yourself only with vlans (often used is bigger 
switched networks) or with MAC filtering via firewall (iptables or ebables, I 
am not quite sure what is used here).

but that is theory, I never tried if you are can change your own mac in a 
domainU or if this isn't allowed. If it is allowed, then a firewall that only 
allow the correct mac for each bridge port should be enough to protect you.

otherwise use the routig mode, because there isn't any of these 
security-related problems at all, but then you will not be able to migrate 
your domains to another xen host.

--Ralph

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.