WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Dom-U config: whats the role of vif - IP

from [Tim Post] [Permanent Link][Original]
To: Christoph Purrucker <cp+ml-xen@xxxxxxxx>
Subject: Re: [Xen-users] Dom-U config: whats the role of vif - IP
From: Tim Post <tim.post@xxxxxxxxxxxxxxx>
Date: Mon, 25 Sep 2006 00:58:41 +0800
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Sun, 24 Sep 2006 09:59:38 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <1159116775.25091.13.camel@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Organization: Net Kinetics
References: <58902.194.39.218.10.1158918727.squirrel@xxxxxxxxxxxxxxxxx> <1159116775.25091.13.camel@xxxxxxxxxxxxxxxxxxxxx>
Reply-to: tim.post@xxxxxxxxxxxxxxx
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
I forgot to mention, this is only useful when used in conjunction with
antispoof, or something else (custom shorewall setups / etc) running on
dom-0 that are smart enough to handle it.

No "magic" happens within Xen itself to prevent this just because the
variables are specified. 

I need to start paying attention to list netiquette and stop assuming
everyone knows I'm alluding to a utility that I didn't bother to mention
in my reply (shorewall / iptables). Sorry about the double reply and
quotes :)

-Tim

On Mon, 2006-09-25 at 00:52 +0800, Tim Post wrote:
> This is really a big issue for people such as web hosting providers who
> will be giving 'untrusted' root access to dom-u's to the general public.
> 
> VPS servers are a very popular choice for those who purchase hosting
> services with less than honorable intentions. 
> 
> Since many do setup their networks for ease of administration (meaning,
> whatever dom-u broadcasts an IP on a subnet that knows about it, owns
> it) this allows one dom-u to 'hijack' the IP of another and use it for
> abusive activity, intercept traffic, etc. 
> 
> If you have only 'trusted' root users on your dom-u's and don't run
> insecure public services from them, its pretty safe to just leave things
> easy and do your networking at the dom-u end.
> 
> Depending on the quality of the network feeding your bridges (if using
> them), you may find it handy to specify a mac address in both the xen
> configuration and dom-u network init scripts.
> 
> So there really isn't a right or wrong answer.. other than be sure
> allowing dom-u's to bring up their own IP's fits your security model :)
> 
> HTH,
> -Tim
> 
> On Fri, 2006-09-22 at 11:52 +0200, Christoph Purrucker wrote:
> > Hello,
> > 
> > in the example configuration-files I always read, that I've to add an
> > IP-Adress if I don't have a DHCPd running. I'm running in bridge-mode. For
> > example:
> > 
> > vif = ['ip=192.168.5.99']
> > 
> > But I don't want to configure the IP-Adress in an config-file on Dom-0;
> > the Admin of the Dom-U should do that with Dom-U's ifconfig (or Debian's
> > /etc/network/interfaces). I started several Dom-Us with
> > 
> > vif = ['']
> > 
> > and it seems, that they run quite fine with a locally configured
> > interface. And further on, if I change the above vif = ['ip=192.168.5.99']
> > to any other IP, the Dom-U ist still reachable under its locally
> > configured IP (and not under the new one in der config-file) after
> > rebooting the Dom-U.
> > 
> > So what's the sense of the above parameter?
> > 
> > cu cp
> > 
> > 
> > _______________________________________________
> > Xen-users mailing list
> > Xen-users@xxxxxxxxxxxxxxxxxxx
> > http://lists.xensource.com/xen-users
> > 
> > 
> 
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
> 
> 


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] Dom-U config: whats the role of vif - IP, Tim Post
Next by Date:  Re: [Xen-users] what do you recommend for cluster fs ??, Martin Hierling
Previous by Thread:  Re: [Xen-users] Dom-U config: whats the role of vif - IP, Tim Post
Next by Thread:  [Xen-users] Weird problems: is this related to Xen?, Arik Raffael Funke
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy