WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Xen with 'Routing' scripts

from [Roland Paterson-Jones] [Permanent Link][Original]
To: xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [Xen-users] Xen with 'Routing' scripts
From: Roland Paterson-Jones <roland@xxxxxxxxxxxx>
Date: Sun, 17 Apr 2005 17:56:01 +0200
Delivery-date: Sun, 17 Apr 2005 15:55:22 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1113573291.5493.99.camel@xxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <425F6B48.6080901@xxxxxxxxxxxx> <1113555914.5469.7.camel@xxxxxxxxxxxxxxxxxxxxxxx> <425FBA9D.8060209@xxxxxxxxxxxx> <1113573291.5493.99.camel@xxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 0.8 (Windows/20040913) 


Nils Toedtmann wrote:


Bridging is not so nice cos it exposes ethernet to the (untrusted) dom-U's.


Not really. In _all_ cases you want to do some [ip|arp|eb]tables stuff
to filter traffic. Nowadays with CONFIG_BRIDGE_NETFILTER filtering and
routing/bridging is almost independant. Whatever topology you take you
can encapsulate the domUs.
Can we ensure that dom-U is not sending ethernet packets with fake destination mac addresses if we're using bridging? 

How do we prevent a dom-U filling up our LAN with bogus ethernet addresses?
I guess we want to restrict the dom-U to IP packets with IP/MAC pairs that match previous ARP results. Can ebtables in dom-0 filter this accurately? 


To sum it up: You are trying to set up a more complex scenario, several
dom0s hosting different numbers of domU. But you do not want to reserve
IP prefixes to dom0s. My strong recommendation: BRIDGING + fixed MAC/IP
pairs + ebtables filtering those pairs. You may use dhcp if you do not
want to configure each domU. The MAC/IP pairing could be algorithmical
like IP=o1.o2.o3.o4 ==> MAC=FE:00:o1:o2:o3:o4 (this time in hex).
Actually I have played with such an algorithmic MAC/IP pairing in a prototype. But then the aim was to specify the MAC address in the Xen config for the dom-U, let the dom-U use DHCP, and ensure that the DHCP mapped the MAC to the corresponding IP address, all in order that I knew the IP address of the dom-U up front (but let the dom-U use DHCP rather than static for more flexibility etc.).
Bridging is definitely easier to manage than routing. However, given that I'm paranoid about untrusted dom-U's, how can we prevent dom-U's from abusing the ethernet network?
Also, there will be more ARP'ing with bridging, since all the dom-U's will ARP independently (can we short-circuit ARP responses in dom-0?). 

Thanks again for your detailed help.
Roland




_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] xend startup problem (xen 2.0.5), Michael Lang
Next by Date:  RE: [Xen-users] Xen with 'Routing' scripts, Ian Pratt
Previous by Thread:  Re: [Xen-users] Xen with 'Routing' scripts, Nils Toedtmann
Next by Thread:  RE: [Xen-users] Xen with 'Routing' scripts, Ian Pratt
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy