[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Xen bridge allows to sniff traffic destined to other domUs in same dom0

>>> On 2013/01/14 at 13:21, Peter Viskup <skupko.sk@xxxxxxxxx> wrote: 
> On 01/14/2013 12:21 PM, Sherin George wrote:
>> Hi Guys,
>> I am working as syadmin for a hosting company.
>> Recently one of our customers came to me saying that he can view
>> traffic not destined to his VPS(domU) which are not broadcast.
>> I created a test VPS(domU) in the hardware node(dom0) and found that
>> what customer claimed may be correct.
>> I did tcpdump in my tes VPS testvps.example.com and I could see
>> traffic as customer explained. So I think my customer was true about
>> what he said.
>> I tried to access the website customer-website.net hosted in the
>> customer VPS server1.customer-server.net( Then I logged
>> into testvps.example.com&  checked tcpdump. I found that traffic from
>> my office IP to server1.customer-website.net server is
>> showing in testvps.example.com.
>> ==========================
>> 336630167 2230533262>
>> 07:10:38.479684 IP> . ack 8368 win 454
>> 07:10:38.482157 IP> P
>> 1960:2456(496) ack 8368 win 454
>> 07:10:38.520554 IP> . ack 8093 win 408
>> 07:10:38.522452 IP> P
>> 1493:1990(497) ack 8169 win 408
>> 07:10:38.637627 IP> . ack 9827 win 454
>> 07:10:38.643413 IP> . ack 11167 win 499
>> 07:10:38.704186 IP> . ack 7627 win 363
>> 07:10:38.744250 IP> . ack 7954 win 408
>> ==========================
>> I was under the impression that domU(VPS) will get only broadcast
>> traffic other than packets actually destined to them. Bridge is
>> supposed to send packets to MAC address than broadcasting. So, this
>> behavior is interesting, something that need to be investigated
>> further and may be fixed if possible.
>> Could anyone please provide any insight into what might be happening ?
>> Note: I replaced actual IP addresses for privacy
>> Thanks in advance.
>> Sherin
> Hi Sherin,
> all that is just expected and it just shows that your bridge is working 
> correctly.
> Once you are interested in reading about Linux bridging read some of these:
>   - http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge
>   - 
> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/htm
> l/Deployment_Guide/s2-networkscripts-interfaces_network-bridge.html
>   - http://wiki.debian.org/BridgeNetworkConnections
> You didn't mentioned what OS do you use for dom0, but I anticipate it is 
> Linux.
> In that case the ebtables should help you to secure your network 
> environment and restrict the packet flow only to the interfaces they are 
> related to.

You could also look into setting up and using Open-vSwitch, instead of the 
built-in bridge.  It should act more like a switch and isolate traffic.  In 
addition, it provides a lot of other features that are useful in virtual 
environments and is fast become the default for many cloud hosting systems (XCP 
and XenServer, particularly).


This e-mail may contain confidential and privileged material for the sole use 
of the intended recipient.  If this email is not intended for you, or you are 
not responsible for the delivery of this message to the intended recipient, 
please note that this message may contain SEAKR Engineering (SEAKR) 
Privileged/Proprietary Information.  In such a case, you are strictly 
prohibited from downloading, photocopying, distributing or otherwise using this 
message, its contents or attachments in any way.  If you have received this 
message in error, please notify us immediately by replying to this e-mail and 
delete the message from your mailbox.  Information contained in this message 
that does not relate to the business of SEAKR is neither endorsed by nor 
attributable to SEAKR.

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.