WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

RE: [Xen-users] ip which is already being used can be taken by windowsvp

To: "Jingyun He" <jingyun.ho@xxxxxxxxx>, <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-users] ip which is already being used can be taken by windowsvps
From: "James Harper" <james.harper@xxxxxxxxxxxxxxxx>
Date: Sun, 18 Oct 2009 12:33:46 +1100
Cc:
Delivery-date: Sat, 17 Oct 2009 18:34:38 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <2f88f10c0910171335i431bb68ah5d103930990358a3@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <2f88f10c0910171335i431bb68ah5d103930990358a3@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcpPaaNIlsyG3zAPStazlSGOhuEQcQAKMebA
Thread-topic: [Xen-users] ip which is already being used can be taken by windowsvps
> 
> Hello,
> I just noticed that the windows vps can take any IP that is already
> being used in the network,
> e.g. one other server is using 1.1.1.1, and another vps in the network
> just assign that IP, and activate it, then the ip 1.1.1.1 will connect
> to vps, and the server will lose connection.
> 
> Do you have any suggestion to avoid this?
> 

Some suggestions:

1. Make sure that anything that ever wants to talk to 1.1.1.1 uses SSL
so that it can never be impersonated. Make sure that you pay attention
if your ssh client ever complains that the key has changed.
2. Put each VM on a /30 network and route everything to it. It might be
a pain to maintain but it greatly reduces the attack surface.
3. Use iptables to filter that port to make sure the source IP address
is correct (remember to allow for DHCP queries if you use that - they
will appear to come from 0.0.0.0 I think).
4. Install arpwatch (I think that's what it's called) that can notify if
the relationship between a mac address and an IP address changes

James


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users