Am Sonntag, den 17.04.2005, 18:56 +0200 schrieb Roland Paterson-Jones:
> Ian Pratt wrote:
> > > I guess we want to restrict the dom-U to IP packets with
> > > IP/MAC pairs that match previous ARP results. Can ebtables in
> > > dom-0 filter this accurately?
> >
> > Sure. If you don't know all the rules at domain creation time you'll
> > probably need to cook up your own little daemon to add rules/
> >
> >
> I think I might be able to achieve what I want with ebtables by brouting
> all outgoing traffic.
What is "brouting"? There's an ebtables chain with that name, but i
never heard this term (yet) as a name for a network topology ...?
> So dom-0 is a router for outgoing traffic but a
> bridge for incoming traffic.
Ah! Is that standard terminology?
> I think I just have to enable
> ip_forwarding, but otherwise use the xen 'bridging' scripts.
What advantage you gain over proper bridging?
> > > Also, there will be more ARP'ing with bridging, since all the
> > > dom-U's will ARP independently (can we short-circuit ARP
> > > responses in dom-0?).
> >
> > Why would you want to? It's hardly high bandwidth.
>
> Well, ARP is broadcast and across all bridged networks. What if the
> dom-U did an ARP-bomb attack, for example. I don't know really. I guess
> you could rate limit ARP's with ebtables.
That's not ARP nor bridging/routing specific. A malicious domU could do
MAC/IP-broad/multi/unicast attact if you do not filter and ratelimit
it's traffic properly. It's always the same principal problem, whatever
topology you use. With routing for example it can still try to SYN-
flood, ping-of-death, overload net with massive UDP fragment
traffic, ...
> Anyway, if we're brouting outbound traffic, then we can use --arpreply
> <bogus-address> to short-circuit outbound ARP requests. They're no use
> anyway, if we're brouting all outbound traffic.
>
> Does this all sound plausible or maybe even sensible?
Hmmm ... some general guidelines:
* Making things more complicated than necessary reduces security
* Using network topology not fully understood reduces security (sorry,
could not resist ;-)
* Do not try to filter traffic by using a special network topology.
Use filters for it.
At domU creation time, dom0 knows it's dedicated MAC, and (according to
your own rules) the according IP of that domU. As Ian wrote: extend the
vif-bridge (which now knows the IP/MAC/VIF combination) using
* ebtables to enforce the correct MAC (--> no MAC spoofing, no STP
attacks)
* arptables to enforce the correct IP/MAC pairing (--> no ARP spoofing)
* iptables to enforce the correct IP (--> no IP spoofing)
* ebtables to force ethernet frames to contain IP or ARP only (no bogus
IPv6/MPLS/PPPoE stuff on the wire)
* ebtables to limit linklayer broadcasts to ARP and IP broadcasts
* iptables to limit IP broadcasts to the necessary ones (for example
dhcp)
* iptables to limit unicast IP traffic to the services the domU is
allowed to offer/use.
* some ratelimiting (particulary on TCP/SYN) such that the domU cannot
DoS somebody via ARP/IP/whatever
This is just an example, but quiet paranoid. You would have to do most
of it with (b)routing, too (even with routing you have to protect dom0
from MAC/ARP-spoofing!).
Just my 2ct, /nils.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|