This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


RE: [Xen-users] ip which is already being used can be taken by windowsvp

To: "xen-users@xxxxxxxxxxxxxxxxxxx" <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-users] ip which is already being used can be taken by windowsvps
From: Nathan Eisenberg <nathan@xxxxxxxxxxxxxxxx>
Date: Sun, 18 Oct 2009 00:42:07 -0700
Accept-language: en-US
Acceptlanguage: en-US
Delivery-date: Sun, 18 Oct 2009 00:43:34 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <AEC6C66638C05B468B556EA548C1A77D0177DA93@trantor>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <2f88f10c0910171335i431bb68ah5d103930990358a3@xxxxxxxxxxxxxx> <AEC6C66638C05B468B556EA548C1A77D0177DA93@trantor>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcpPaaNIlsyG3zAPStazlSGOhuEQcQAKMebAAAzy9cA=
Thread-topic: [Xen-users] ip which is already being used can be taken by windowsvps
> Some suggestions:
> 1. Make sure that anything that ever wants to talk to uses SSL
> so that it can never be impersonated. Make sure that you pay attention
> if your ssh client ever complains that the key has changed.
> 2. Put each VM on a /30 network and route everything to it. It might be
> a pain to maintain but it greatly reduces the attack surface.
> 3. Use iptables to filter that port to make sure the source IP address
> is correct (remember to allow for DHCP queries if you use that - they
> will appear to come from I think).
> 4. Install arpwatch (I think that's what it's called) that can notify
> if
> the relationship between a mac address and an IP address changes
> James

If you're going to do #2, you may as well use /31s and save 2 IPs per host.

Best Regards,
Nathan Eisenberg

Xen-users mailing list