WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] Successful IPv6 Xen Deployment; Protection Against IPv4 ARP

To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-devel] Successful IPv6 Xen Deployment; Protection Against IPv4 ARP Poisoning Attacks
From: Cory Von Wallenstein <cvonwallenstein@xxxxxxxxxxx>
Date: Tue, 23 Sep 2008 16:06:54 -0400 (EDT)
Cc: Stephen Spector <stephen.spector@xxxxxxxxxx>
Delivery-date: Tue, 23 Sep 2008 13:07:21 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Hi folks,

Stephen Spector suggested these questions may be best answered by the dev email 
list.

My team and I have been working diligently since early this year working on 
automation and deployment of Xen for a new VPS service at DynDNS. Along the 
way, we decided to have IPv6 as one of our features, and had to make a handful 
of changes to the Xen network scripts to successfully and safely do so in a VPS 
environment.

While our priorities have first and foremost getting our Spring Server VPS 
service out the door (which as of a few weeks ago, it is!), now I'd like to see 
if the community could benefit from this work.

a) Have people already solved and dealt with IPv6 in Xen successfully (i.e., is 
it a non-issue at this point)? If not, I'd be happy to submit the changes and a 
guide to making it work and work well.

Along the way, we also ran into some issues where domUs were able to:

1) "steal" IP addresses through IP aliasing (e.g., domU has 1.2.3.4, and domU 
root does "ifconfig eth0:0 1.2.3.5/32" in Linux, and now has two working IPs),
2) and more importantly, were able to impact the network connectivity of 
another domU by aliasing or assigning its in-use IP address,
3) and MOST importantly, were able to impact the network connectivity for all 
domUs on a subnet by aliasing a gateway IP address (e.g., in Linux "ifconfig 
1.2.3.1" for a typical /24 subnet). 
4) Also, sending out invalid or poisoned ARP packets from one domU were able to 
introduce network connectivity problems for other domUs.

We were able to make a handful of changes to the Xen scripts to resolve these 
issues as well for safe and secure operation (especially for a VPS environment, 
where individual owners of domUs are likely unrelated to each other).

b) As above, have folks already addressed these issues for stealing IPs/ARP 
poisoning? Have they just not encountered them yet? Would it be useful to 
submit these modifications for review by the community?

We're more than happy to help, just don't want to duplicate work or step on 
anyone's toes for work they already have in progress.

Best regards,

Cory von Wallenstein
Spring Server Engineer
Dynamic Network Services
http://www.dyndns.com

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

<Prev in Thread] Current Thread [Next in Thread>