WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

[Xen-users] Isolating DomU / Networking

To: <Xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-users] Isolating DomU / Networking
From: "Daniel Schwager" <Daniel.Schwager@xxxxxxxx>
Date: Fri, 9 May 2008 13:56:27 +0200
Cc: Sebastian Ries <Sebastian.Ries@xxxxxxxx>, Daniel Schwager <Daniel.Schwager@xxxxxxxx>
Delivery-date: Fri, 09 May 2008 04:57:08 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: Acixy7b9qQ5KAL7ZS0S7UmFjYmdiYg==
Thread-topic: Isolating DomU / Networking
Hi

I want to secure/isolate all running DomU's (HVM) against each other,
So no DomU should see (IP-level, MAC/Broadcast level) the other DomU's
 
I found a patch for the creation of a DomU at
http://www.d7031.de/text/xen_with_lvm_under_etch.shtml
(near the bottom)

It seems that this did not work for me :-(
Regardless of the ebtables rules I could change my IP address and still
could do whatever I wanted in the network.

Therefore I started to dig deeper in the network-configuration which
gave me some more questions:

I did ping between 2 DomUs (Id 14 and 16) and watched the traffic with 
tcpdump -i $iface -n host $ip1 or host $ip2
and tried to find out which interfaces the traffic crosses.

[root@xen02 ~]# brctl show
bridge name     bridge id               STP enabled     interfaces
xenbr1          8000.001b78054bee       no              peth1
                                                        tap0
                                                        tap1
                                                        vif14.0
                                                        vif16.0
Here is my result:

Iface           packed seen           expected
---------------------------------------------
any             double                ~
xenbr1          yes                   yes
tap0            yes                   no
tap1            yes                   no
vif14.0         no                    no
vif16.0         no                    no
peth1           no                    yes


What is most confusing is that i
        a) see the packets on tap0 and tap1 
        b) but no packets on vif14.0 and vif16.0 ...

Can anyone explain why this is the case?

Best regards
Danny

-------------------------------------------------------------------
DT Netsolution GmbH   -   Taläckerstr. 30    -    D-70437 Stuttgart
Geschäftsführer: Daniel Schwager, Stefan Hörz - HRB Stuttgart 19870
Tel: +49-711-849910-32, Fax: -932 - Mailto:daniel.schwager@xxxxxxxx



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-users] Isolating DomU / Networking, Daniel Schwager <=