This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] Successful IPv6 Xen Deployment; Protection Against IPv4

To: Cory Von Wallenstein <cvonwallenstein@xxxxxxxxxxx>
Subject: Re: [Xen-devel] Successful IPv6 Xen Deployment; Protection Against IPv4 ARP Poisoning Attacks
From: Luke S Crawford <lsc@xxxxxxxxx>
Date: 26 Sep 2008 21:58:19 -0400
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx, Stephen Spector <stephen.spector@xxxxxxxxxx>
Delivery-date: Fri, 26 Sep 2008 18:55:51 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <5378691.34641222200414944.JavaMail.root@xxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <5378691.34641222200414944.JavaMail.root@xxxxxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
Cory Von Wallenstein <cvonwallenstein@xxxxxxxxxxx> writes:

> a) Have people already solved and dealt with IPv6 in Xen successfully (i.e., 
> is it a non-issue at this point)? If not, I'd be happy to submit the changes 
> and a guide to making it work and work well.

Guides would be awesome.  Also, if you made anti-spoof work for IPv6, that 
would also be awesome.

I've had IPv6 going for a while with no problems (though the xen antispoof 
rules only work with IPv4.)  - but I didn't  even need to enable IPv6 in the 
Dom0;  it's a layer 2 bridge, so it just works.  In fact, stateless 
autoconfiguration even worked.   I asked for an IPv6 allocation from
my provider and my customers noticed it was working before I got around to
doing any setup at all.

what problems did you hit with IPv6?

> Along the way, we also ran into some issues where domUs were able to:
> 1) "steal" IP addresses through IP aliasing (e.g., domU has, and domU 
> root does "ifconfig eth0:0" in Linux, and now has two working IPs),
> 2) and more importantly, were able to impact the network connectivity of 
> another domU by aliasing or assigning its in-use IP address,
> 3) and MOST importantly, were able to impact the network connectivity for all 
> domUs on a subnet by aliasing a gateway IP address (e.g., in Linux "ifconfig 
>" for a typical /24 subnet). 

See the Xen antispoof functionality.  you specify the IPv4 address 
for the DomU in the xm config file, and it adds firewall rules to drop IPv4 
packets from the DomU that are not from its assigned address.  it works
well.  (you need to make your firewall put your bridge packets
through the forward chain, but after that it works well)  

If you have this working with IPv6, though, that would be really awesome.

> 4) Also, sending out invalid or poisoned ARP packets from one domU were able 
> to introduce network connectivity problems for other domUs.

The Xen networking scripts, I believe, don't currently have anything that
stops mac spoofing/arp cache poisioning.  Something like that would be
pretty nice, though. (It would allow me to trust my interface counters

> b) As above, have folks already addressed these issues for stealing IPs/ARP 
> poisoning? Have they just not encountered them yet? Would it be useful to 
> submit these modifications for review by the community?

the antispoof stuff in xen works fine for IPv4, but we've got nothing
for ARP poisoning, or for antispoof in IPv6.  both would be nice.

Xen-devel mailing list

<Prev in Thread] Current Thread [Next in Thread>