This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Dom-U config: whats the role of vif - IP

To: Christoph Purrucker <cp+ml-xen@xxxxxxxx>
Subject: Re: [Xen-users] Dom-U config: whats the role of vif - IP
From: Tim Post <tim.post@xxxxxxxxxxxxxxx>
Date: Mon, 25 Sep 2006 00:52:55 +0800
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Sun, 24 Sep 2006 09:53:47 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <58902.>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Organization: Net Kinetics
References: <58902.>
Reply-to: tim.post@xxxxxxxxxxxxxxx
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
This is really a big issue for people such as web hosting providers who
will be giving 'untrusted' root access to dom-u's to the general public.

VPS servers are a very popular choice for those who purchase hosting
services with less than honorable intentions. 

Since many do setup their networks for ease of administration (meaning,
whatever dom-u broadcasts an IP on a subnet that knows about it, owns
it) this allows one dom-u to 'hijack' the IP of another and use it for
abusive activity, intercept traffic, etc. 

If you have only 'trusted' root users on your dom-u's and don't run
insecure public services from them, its pretty safe to just leave things
easy and do your networking at the dom-u end.

Depending on the quality of the network feeding your bridges (if using
them), you may find it handy to specify a mac address in both the xen
configuration and dom-u network init scripts.

So there really isn't a right or wrong answer.. other than be sure
allowing dom-u's to bring up their own IP's fits your security model :)


On Fri, 2006-09-22 at 11:52 +0200, Christoph Purrucker wrote:
> Hello,
> in the example configuration-files I always read, that I've to add an
> IP-Adress if I don't have a DHCPd running. I'm running in bridge-mode. For
> example:
> vif = ['ip=']
> But I don't want to configure the IP-Adress in an config-file on Dom-0;
> the Admin of the Dom-U should do that with Dom-U's ifconfig (or Debian's
> /etc/network/interfaces). I started several Dom-Us with
> vif = ['']
> and it seems, that they run quite fine with a locally configured
> interface. And further on, if I change the above vif = ['ip=']
> to any other IP, the Dom-U ist still reachable under its locally
> configured IP (and not under the new one in der config-file) after
> rebooting the Dom-U.
> So what's the sense of the above parameter?
> cu cp
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users

Xen-users mailing list