This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-API] XCP antispoofing patch [v2]

To: xen-api@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-API] XCP antispoofing patch [v2]
From: George Shuklin <george.shuklin@xxxxxxxxx>
Date: Fri, 23 Sep 2011 19:44:59 +0400
Delivery-date: Fri, 23 Sep 2011 08:45:24 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=subject:from:to:content-type:date:message-id:mime-version:x-mailer; bh=TSoNX3SsJ5kgmiNfRWkcfX/E9kPz51k3svCwrqI3Zlc=; b=MAaSB61oIXfoGGkeWN51LSjQxFJ8dg2VKGHTsnzZiz7DhkP9BzF6w2dZf/ybKeJEPL +m/vBLln4u8qmp5caafa7Ks/QAZcQP1gajPjlMqUnttJDAnZSiv/BF5f/hB1/jGgTFvT kFMGo/eJhsvqsocF8hb2MoGVnUORLeLVojb8c=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-api-request@lists.xensource.com?subject=help>
List-id: Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>
List-post: <mailto:xen-api@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-api-bounces@xxxxxxxxxxxxxxxxxxx
Good day, everyone.

This patch control usage of ipv4 addresses of virtual machines. It must
be applied to all hosts of pool and require /usr/bin/get_ip script. This
behaviour differ from last time I post earlier version of patch.

Script shall accept uuid of VIF and return or IP address, or nothing. It
shall never freeze or output any kind of error messages.

Here simple of output:

$ get_ip 48b541ae-1403-ddbb-4122-868c816cbec5
$ get_ip 9ade74b4-87b0-97b5-e02c-5d8d870438bd
$ get_ip somerandominput


* Now  works fine with trunk vlans (thanks to Ben Pfaff)
* Now clearly eliminating every unauthorised traffic, including the
wrong ARP announces (thanks to Alexandre Bezroutchko for correct ARP
* Fixed rules non-removal on multi-homed VM (two  VIFs per one VM caused
not removing second set of rules)


We disallow 'collision detection' ARP requests and DHCP requests. If you
need them - you need to create separate rules. Also, this patch 


1) This patch is against XCP 1.0; when XCP 1.1 will be released, I post
adopted version.
2) Put on every host in the pool get_ip script to /usr/bin, see notes
above. You need to create this script by yourself. Simplest (from config
file) will looks like:
grep $1 /etc/xensource/ip.conf|awk '{print $2}'
Our script is using external database to get IP.
3) check if this script works fine without normal path environment.
Note, if get_ip will freeze/make error, VM's will not start, even those,
who have no IP restriction.
4) Log to host via ssh, download/copy script locally.
5) Make backup copy
5) Apply patch: patch -b -p0 <antispoofing.v2.patch
6) Repeat step 6 on every host in the pool.
7) Restart/migrate every machine needed to be protected.

1) Urgent rules cleaning can be done:
a) ovs-ofctl del-flows "in_port=2" (=3, =4 and so on).
b) by replacing /usr/bin/get_ip by symlink to /bin/true and
remigrating/rebooting every affected VM
2) Permanent removing can be done by moving
back /etc/xensource/script/vif.orig to /etc/xensource.script/vif 

Rules can be seen by typing ovs-ofctl dump-flows xenbr0 (xenbr1 and so
on, depends on your network configuration, for pure virtual networks
interface is xapi0, xapi1,...).

PS Glad to hear some comments.

Attachment: antispoofing.v2.patch
Description: Text Data

xen-api mailing list
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-API] XCP antispoofing patch [v2], George Shuklin <=