[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Dom-U config: whats the role of vif - IP

I forgot to mention, this is only useful when used in conjunction with
antispoof, or something else (custom shorewall setups / etc) running on
dom-0 that are smart enough to handle it.

No "magic" happens within Xen itself to prevent this just because the
variables are specified. 

I need to start paying attention to list netiquette and stop assuming
everyone knows I'm alluding to a utility that I didn't bother to mention
in my reply (shorewall / iptables). Sorry about the double reply and
quotes :)

-Tim

On Mon, 2006-09-25 at 00:52 +0800, Tim Post wrote:
> This is really a big issue for people such as web hosting providers who
> will be giving 'untrusted' root access to dom-u's to the general public.
> 
> VPS servers are a very popular choice for those who purchase hosting
> services with less than honorable intentions. 
> 
> Since many do setup their networks for ease of administration (meaning,
> whatever dom-u broadcasts an IP on a subnet that knows about it, owns
> it) this allows one dom-u to 'hijack' the IP of another and use it for
> abusive activity, intercept traffic, etc. 
> 
> If you have only 'trusted' root users on your dom-u's and don't run
> insecure public services from them, its pretty safe to just leave things
> easy and do your networking at the dom-u end.
> 
> Depending on the quality of the network feeding your bridges (if using
> them), you may find it handy to specify a mac address in both the xen
> configuration and dom-u network init scripts.
> 
> So there really isn't a right or wrong answer.. other than be sure
> allowing dom-u's to bring up their own IP's fits your security model :)
> 
> HTH,
> -Tim
> 
> On Fri, 2006-09-22 at 11:52 +0200, Christoph Purrucker wrote:
> > Hello,
> > 
> > in the example configuration-files I always read, that I've to add an
> > IP-Adress if I don't have a DHCPd running. I'm running in bridge-mode. For
> > example:
> > 
> > vif = ['ip=192.168.5.99']
> > 
> > But I don't want to configure the IP-Adress in an config-file on Dom-0;
> > the Admin of the Dom-U should do that with Dom-U's ifconfig (or Debian's
> > /etc/network/interfaces). I started several Dom-Us with
> > 
> > vif = ['']
> > 
> > and it seems, that they run quite fine with a locally configured
> > interface. And further on, if I change the above vif = ['ip=192.168.5.99']
> > to any other IP, the Dom-U ist still reachable under its locally
> > configured IP (and not under the new one in der config-file) after
> > rebooting the Dom-U.
> > 
> > So what's the sense of the above parameter?
> > 
> > cu cp
> > 
> > 
> > _______________________________________________
> > Xen-users mailing list
> > Xen-users@xxxxxxxxxxxxxxxxxxx
> > http://lists.xensource.com/xen-users
> > 
> > 
> 
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
> 
> 


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.