Am Freitag, den 15.04.2005, 14:59 +0200 schrieb Roland Paterson-Jones:
> Nils, thanks for the great response.
>
> Some more details: we have a network of dom-0's that will host a number
> of dom-U's.
>
> We need dynamic addressing, so proxy-arp sounds the simplest for us
> (simpler than full-on routing, that is).
Maybe not: at least the dom0 needs hostroutes for the domUs it is
hosting onto the vif* devices. Otherwise it won't proxyarp.
> Bridging is not so nice cos it exposes ethernet to the (untrusted) dom-U's.
Not really. In _all_ cases you want to do some [ip|arp|eb]tables stuff
to filter traffic. Nowadays with CONFIG_BRIDGE_NETFILTER filtering and
routing/bridging is almost independant. Whatever topology you take you
can encapsulate the domUs.
> We can't use NAT cos we want the dom-U's to be externally addressable.
Would still be possible with DNAT (for example any dom0 hosting n domUs
needs n+1 IPs, n of them DNATed), but that would be _really_ _ugly_! You
are right not to do that ;)
> Something I'm still unclear on - we don't want to reserve dom-U
> addresses for each dom-0 (it'll be wasteful), so we want dom-U to use
> DHCP. But then we've got to do DHCP relaying in dom-0, I think, and
> capture the dom-U IP address, unless there's a better way.
dhcrelay(8) is your friend, but indeed dom0 must somehow be informed
about the combination IP-adress/virtual-interface (and if you want
filtering: MAC) to set the hostroute. And that hostroute has to be
deleted when the domU shuts down ... so:
(a) turn on a RIP/OSPF routing daemon on all domUs and all dom0s
(b) or: patch dhcrelay to set the hostroute (but on shutdown?)
(c) or: dom0 catches dhcp traffic on vif* devices and parses it
(a) is overkill and insecure, (b) & (c) are evel & ugly!
> Another thing that's confusing me is that I expect there should be a
> left-hand (dom-0) and right-hand (dom-U) address for each of the vif's
> in routing mode, but I see only the one address in the scripts.
That's ok. There are again two possibilities (at least):
* the vif* are up, the corrosponding domU-eth0 have IPs in the same
subnet, dom0 has hostroutes for those domU-IPs onto the according
vif*. In this case, it does not matter if the vif* have an IP at all.
dom0 has proxy-arp activated.
* each dom0-vif/domU-eth0 pair is configured in a different transport-
subnet, eg vif1.0=192.168.1.1/30, eth0(dom1)=192.168.1.2/30,
vif2.0=192.168.1.5/30, eth0(dom2)=192.168.1.6/30
I don't know what the xend routing scripts actually do. You may fire up
two domUs and send me the output of "/sbin/ip addr" and "/sbin/ip route"
then i'll tell.
> I hope this makes sense - as you might have noticed I'm approaching this
> from first principles. I'm sure I'll get there in the end :(
To sum it up: You are trying to set up a more complex scenario, several
dom0s hosting different numbers of domU. But you do not want to reserve
IP prefixes to dom0s. My strong recommendation: BRIDGING + fixed MAC/IP
pairs + ebtables filtering those pairs. You may use dhcp if you do not
want to configure each domU. The MAC/IP pairing could be algorithmical
like IP=o1.o2.o3.o4 ==> MAC=FE:00:o1:o2:o3:o4 (this time in hex).
Everthing else (like proxyarp + dhcrelay) will get too fast too complex.
For example you could do dhcp & real dynamic routing, but then every
domU has to run a routing daemon announcing its IP, so a malicious domU
could redirect all traffic to itself. Or you have to do some evil hack
to pass routing information from dhcp to the dom0s.
Just my 2c. /nils.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
Home