WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] promiscuous mode?

from [John Babwell] [Permanent Link][Original]
To: Ian Pratt <Ian.Pratt@xxxxxxxxxxxx>
Subject: Re: [Xen-devel] promiscuous mode?
From: John Babwell <johnbabwell@xxxxxxxxxxx>
Date: Fri, 13 Aug 2004 18:22:52 -0500
Cc: Steven Hand <Steven.Hand@xxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxxx
Delivery-date: Sat, 14 Aug 2004 00:23:12 +0100
Envelope-to: steven.hand@xxxxxxxxxxxx
In-reply-to: <E1Bvi4e-0004I3-00@xxxxxxxxxxxxxxxxx>
References: <E1BvhXB-0003eI-00@xxxxxxxxxxxxxxxxx> <E1Bvi4e-0004I3-00@xxxxxxxxxxxxxxxxx> 
Thankyou both, that was very informative, I appreciate it!  I think I
can do exactly what I want (and more) with a combo of techniques.

~ John

On Fri, 13 Aug 2004 20:50:47 +0100
Ian Pratt <Ian.Pratt@xxxxxxxxxxxx> wrote:

> > The default config uses bridging in domain 0 to connect together all
> > of the guest NICs; in this case, guests will be able to see anything 
> > that is on the local network. 
> 
> Although it's called a 'bridge', it's actually an L2 'switch' : a
> domain will typically only see traffic that's sent to its MAC or
> the broadcast/multicast MAC (once it's learnt where all the MAC
> addresses live). 
> 
> As with a physical network, you'd still be vulnerable to ARP
> spoofing or forged src addr attacks that would enable an attacker
> to see packets it shouldn't. 
> 
> > If you want to enforce some 'privacy', you can configure things a 
> > little differently; 
> > 
> >   a. use a 'routed' model in which domain0 acts as the gateway; in 
> >      this case, no guest can see anything save point-to-point packets
> >      between itself and its opposite number in domain0. However it 
> >      does mean a bit more hassle setting up interfaces in domain0. 
> > 
> >   b. use ebtables -- this is an ethernet-level "firewall", which 
> >      should allow you to configure whatever you want. Should be 
> >      more flexible (i.e. can allow some guests to see all bcast 
> >      packets, others to see some, others to see none) and more 
> >      efficient. However I've never used it :-) 
> 
> We build the bridge-nf patch into our linux 2.4 kernel by
> default, so it's possible to use Linux's normal iptables commands
> to filter traffic to domains at the IP level even is you're using
> bridging rather than routing (bridge-nf is standard in
> 2.6). However, you'll need a relatively recent version of the
> iptables user-space package that supports the 'physdev' module to
> enable you to attach rules to specific VIFs.
> 
> The vif-bridge script contains an example invocation that stops
> domains from spoofing there src IP address (though you have to be
> careful about DHCP requests and such like).
> 
> ebtables is useful if you want to do purely L2-level (Ethernet)
> filtering.
> 
> 
> Ian
> 
> [perhaps someone could stick this in a FAQ...]


--
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-devel] system lockup, Mike Waychison
Next by Date:  Re: [Xen-devel] system lockup, Ian Pratt
Previous by Thread:  Re: [Xen-devel] promiscuous mode?, Ian Pratt
Next by Thread:  [Xen-devel] Partial workaround for probs with 3ware Controller, Sven Kretzschmar
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy