[Xen-API] XCP antispoofing (idea and working patch)

To:	xen-api@xxxxxxxxxxxxxxxxxxx
Subject:	[Xen-API] XCP antispoofing (idea and working patch)
From:	George Shuklin <george.shuklin@xxxxxxxxx>
Date:	Mon, 27 Dec 2010 05:39:42 +0300
Delivery-date:	Sun, 26 Dec 2010 18:38:59 -0800
Dkim-signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:content-type :date:message-id:mime-version:x-mailer; bh=XoFBgFLsoVxxRKY/1M0P3OXOnUpPEG+q4SCSwd0PyJU=; b=jHxCPRl6DexYByM6CO7JwwhVHRdzeZOdDJBrBxZR8OGNY4LdChOWGLsI1aQWjEfNzZ HnOg60LZIZ9qUXrcycmZsWYSom7+kSEnYlB7j/woSWXMtw+VQrkwA1T/8il5ktxMVzar n+/wtr9Bg/w417Ne9srWlcjQZDg/ZRfD4HJxs=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:content-type:date:message-id:mime-version:x-mailer; b=Pvls2A2waUtGuEY4ARunWxCsrul7g2yDsJPeozu2/kPfQzW7hT3TqIT3TTZ7xpgsoj sjp9ZeYTCvi6SyJpiZNmjHQQKT8V9wbyYj2cO54EvXSVsjQeCnLRGwbanm2lsU0kSuLH Jnv6bw4NhPseVxcctcUIVnMpppmvOIN6t++NA=
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
List-help:	<mailto:xen-api-request@lists.xensource.com?subject=help>
List-id:	Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>
List-post:	<mailto:xen-api@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=unsubscribe>
Sender:	xen-api-bounces@xxxxxxxxxxxxxxxxxxx

Good day.

I like to raise a question which bother me (and not only me) long time.

How we can protect one guest form malicious actions from other guest?
One of the simplest way to break network is spoofing (usurping) some
IP/mac addresses on network by abusing ARP or (even) simply assign wrong
IP to guest machine network interface.

Classic Xen shipped with antispoofing scripts, but XCP is not.

What problem we shall solve for quality antispoofing? 

Restriction:
1) Shall be configurable (some interface must be restricted, some not)
2) must be applying on EVERY host in the pool
3) Shall be removed when VM is down or mirgrated out (do not disturb any
other VM)
4) Shall survive reboot (when dom ID and vif interface int dom0
changing)
5) Shall survive migration 
6) shall restrict both IP and mac usage.


I create some simple patch to /etc/xensource/scripts/vif (it called
every time new vif initializing or deinitializing).

It depends on openvswitch (and does not work with classic brtools),
using /etc/xensource/ip_restriction.conf with following syntax:

vif-uuid ip
(one per line), f.e.
25ca3ed1-06ea-5f58-9283-f2af3e8b373e 192.168.1.144

This file must be identical on every host in the pool.

If vif uuid is not listed it this file, it silently do nothing. If
openvswitch is not used, it silently do nothing.

If IP (right now only ipv4) is assigned to vif-uuid, that vif is
restricted to it mac (autodetected via xenstore) too.

When vif is down (vm down, migrated or rebooted) it clear all
restriction on openvswitch port right before port unplugging.

The main concern is usage of configuration file instead xapi. I think it
must be placed somewhere to vif's other config (but it far beyond my
knowledge, and I except some help with this). xapi shall place
ip_restriction to other config and copy it to xenstore for vif to be
readable from scripts/vif script.

This patch is against XCP 0.5 (not 1.0b)

vif_ip_restriction.diff
Description: Text Data

_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api

WARNING - OLD ARCHIVES

xen-api

[Xen-API] XCP antispoofing (idea and working patch)