WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-api

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Xen-API] XCP antispoofing (idea and working patch)

from [George Shuklin] [Permanent Link][Original]
To: Dave Scott <Dave.Scott@xxxxxxxxxxxxx>
Subject: RE: [Xen-API] XCP antispoofing (idea and working patch)
From: George Shuklin <george.shuklin@xxxxxxxxx>
Date: Wed, 29 Dec 2010 14:15:03 +0300
Cc: Zeffertt <Alex.Zeffertt@xxxxxxxxxxxxx>, Alex, Rob Hoes <Rob.Hoes@xxxxxxxxxx>, "xen-api@xxxxxxxxxxxxxxxxxxx" <xen-api@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Wed, 29 Dec 2010 03:15:20 -0800
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc :in-reply-to:references:content-type:date:message-id:mime-version :x-mailer:content-transfer-encoding; bh=JIoz9zaugnfwVDO2Fqt7vj4bypWUNZDxQ0I21h9CEpY=; b=MAKw1LiMDurz7CeZme3NFeb/LJDeUcz5Cz4C3w6Q98kMgVGIeHX/scpJCOYXh25DTY Vs+FJ5gRXNUX0EREdxYnOiEmN82tMr4DU7T0W2LX/g6oCG1BKkS7DMy5Up+OnNigxjHJ hJY8xV7HzRekq0MHco4JFmpvbtiAdir6AxbLs=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:x-mailer:content-transfer-encoding; b=K8c2zx/ak1MQU+NZpoCVBmcDFMUc0p2j4pktOdb5vgkCuZH3iDnSb5M1Phw8DbdF4S lxfA5vYyULozsFTwf+VxxLt8FBlehAQ+27SHD0SM/8EMN+6nSFrr3tu6mUPCxHP6qToT Mh4lpPWLlfciDyg1kAO+pquwbcIPR7Nc6uI9I=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <81A73678E76EA642801C8F2E4823AD21933474285F@xxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-api-request@lists.xensource.com?subject=help>
List-id: Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>
List-post: <mailto:xen-api@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=unsubscribe>
References: <1293417582.18543.37.camel@xxxxxxxxxxxxxxxx> <81A73678E76EA642801C8F2E4823AD21933474285F@xxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-api-bounces@xxxxxxxxxxxxxxxxxxx 
> > The main concern is usage of configuration file instead xapi. I think
> > it
> > must be placed somewhere to vif's other config (but it far beyond my
> > knowledge, and I except some help with this). xapi shall place
> > ip_restriction to other-config and copy it to xenstore for vif to be
> > readable from scripts/vif script.
> 
> This part needs a bit more thought. I was wondering if we wanted to have 
> first-class fields for this kind of VIF/switch configuration... something like
> 
> Network.default_secure: bool -- if true then unconfigured VIFs have no 
> access, otherwise they have full access
> VIF.allowed_addresses: some encoding of values like
>   Some (list of (MAC, IPv4) pairs) -- specific addresses to limit the VIF to. 
> Probably need '*, *'
>   None -- no configuration


Nice idea!

But why only two choices? If we really starts to thinking about security
model I see following:

1) Allow all  - No security (current state, allow regardless restriction
configuration)
3) Deny denied, allow other (use restriction according configuration,
allow non-configured) - the mode in my path.
2) Allow allowed, deny other (default mode for most ACL in network
equipment)
4) Deny All (some like network-shutdown) - if we thinking about options
this may be interesting)


Now, about restriction. 

1) L2 address:  'native' VIF MAC address can be found via xenstore, so
we need to have two special values: any, self. 
2) L2 protocol-num: Allowed protocol number: ipv4, ipv6, arp (does
anyone still use something else?)

2) L3 address: ipv4 (shall we support CIDR notation X.X.X.X/Y ? In this
case we can skip '*'/'any' value just replacing it 0/0).
3) IPv6 address support (...I'm lack of knowledge here)


... and one more idea: if we have 'own' ip-address for vif, can we
create some kind of 'external configurable' IP-address for guest VM
interfaces?
Agent will waiting subscribing for modification event of some variable
in xenstore in VM. It will change network interface settings accordingly
(IP, netmask).


> Also adding explicit openflow rules will conflict with any attached openflow 
> controller (eg nox) so we should make it an explicit choice: disable these 
> rules and enable a controller, or disable a controller and enable these rules.

... and here 2nd option for network security: what to do if openflow
controller down/not available: shutdown network/allow all.

 


_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Xen-API] XCP antispoofing (idea and working patch), Dave Scott
Next by Date:  [Xen-API] XCP 1.0 beta - Locked VDI issue, Jonathon Royle
Previous by Thread:  RE: [Xen-API] XCP antispoofing (idea and working patch), Dave Scott
Next by Thread:  [Xen-API] XCP 1.0 beta - Locked VDI issue, Jonathon Royle
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy