WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Networking privacy and DomU

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Networking privacy and DomU
From: Ralph Passgang <ralph@xxxxxxxxxxxxx>
Date: Mon, 9 Jan 2006 23:05:27 +0100
Delivery-date: Mon, 09 Jan 2006 22:10:49 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1136840219.8702.9.camel@localhost>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <20060109163145.5d710f92@xxxxxxxxxxxxx> <1136840219.8702.9.camel@localhost>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.8.3
Am Montag, 9. Januar 2006 21:56 schrieb John A. Sullivan III:
> On Mon, 2006-01-09 at 16:31 +0100, Martin Dziobek wrote:
> > Hello All,
> >
> > I'm not seeing the wood for trees ...
> >
> > In Xen 3.0 with standard setup (1 Dom 0, several
> > Dom U),how can I prevent a DomU from reading
> > the other DomUs network traffic with a sniffer ?
> > Can I use bridging at all ?
>
> <snip>
> That's a very interesting question.  I have not explored this in any
> detail but, it seems to me upon casual observation, that a domU cannot
> put the hardware NIC into promiscuous mode.  I have tried to do this
> when troubleshooting various network problems.  I have launched tcpdump
> in a domU and it does not appear to see all traffic -- only traffic
> destined for the domU address.
>
> Again, I did not try to work around it or even completely confirm that
> was the case but it is my casual observation.  Perhaps since it is
> indeed a bridge, it is like plugging a protocol analyzer into a switch
> port -- one only sees broadcast traffic and the unicast traffic for that
> port.  I suppose one could use arp poisoning to see other traffic but
> that would be true of any switch - John

a multiport bridge is a switch, at least that was what I was told in 
school ;-P

a bridge isn't like a hub, a bridge knows which MAC belongs to which port in 
the brige. If traffic for MAC A arrives one end of the bridge, the bridge 
will forward it only to the correct port (as long as it knows on which Port 
MAC A is). So tcpdumping (even in promisc) mode isn't working here really, 
because you will only see your own traffic + broadcast traffic like arp 
requests and so on. Promisc mode only works on hubs and other dump network 
equipment.

If you want to see traffic that doesn't belong to your own port then you have 
to do arp posioning or stuff like that. But this is an attack that works on 
every switch. You can protect yourself only with vlans (often used is bigger 
switched networks) or with MAC filtering via firewall (iptables or ebables, I 
am not quite sure what is used here).

but that is theory, I never tried if you are can change your own mac in a 
domainU or if this isn't allowed. If it is allowed, then a firewall that only 
allow the correct mac for each bridge port should be enough to protect you.

otherwise use the routig mode, because there isn't any of these 
security-related problems at all, but then you will not be able to migrate 
your domains to another xen host.

--Ralph

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>