Good day.
I like to raise a question which bother me (and not only me) long time.
How we can protect one guest form malicious actions from other guest?
One of the simplest way to break network is spoofing (usurping) some
IP/mac addresses on network by abusing ARP or (even) simply assign wrong
IP to guest machine network interface.
Classic Xen shipped with antispoofing scripts, but XCP is not.
What problem we shall solve for quality antispoofing?
Restriction:
1) Shall be configurable (some interface must be restricted, some not)
2) must be applying on EVERY host in the pool
3) Shall be removed when VM is down or mirgrated out (do not disturb any
other VM)
4) Shall survive reboot (when dom ID and vif interface int dom0
changing)
5) Shall survive migration
6) shall restrict both IP and mac usage.
I create some simple patch to /etc/xensource/scripts/vif (it called
every time new vif initializing or deinitializing).
It depends on openvswitch (and does not work with classic brtools),
using /etc/xensource/ip_restriction.conf with following syntax:
vif-uuid ip
(one per line), f.e.
25ca3ed1-06ea-5f58-9283-f2af3e8b373e 192.168.1.144
This file must be identical on every host in the pool.
If vif uuid is not listed it this file, it silently do nothing. If
openvswitch is not used, it silently do nothing.
If IP (right now only ipv4) is assigned to vif-uuid, that vif is
restricted to it mac (autodetected via xenstore) too.
When vif is down (vm down, migrated or rebooted) it clear all
restriction on openvswitch port right before port unplugging.
The main concern is usage of configuration file instead xapi. I think it
must be placed somewhere to vif's other config (but it far beyond my
knowledge, and I except some help with this). xapi shall place
ip_restriction to other config and copy it to xenstore for vif to be
readable from scripts/vif script.
This patch is against XCP 0.5 (not 1.0b)
diff -r /etc/xensource/scripts.old/vif /etc/xensource/scripts/vif
26a27,29
> ofctl="/usr/bin/ovs-ofctl"
>
> IP_RESTRICTION="/etc/xensource/ip_restriction.conf"
156a160,206
>
> restrict_ipv4 ()
> {
> #applying acl for specified port and ipv4 address
> logger -t scripts-vif "VIF uuid=$vif device=$dev ovs_port=$port bridge=$bridge restricted to use IPv4 $IP only with mac $mac address."
> $ofctl add-flow $bridge "in_port=$port priority=39000 dl_type=0x0800 nw_src=$IP dl_src=$mac idle_timeout=0 action=normal"
> $ofctl add-flow $bridge "in_port=$port priority=38500 dl_type=0x0806 dl_src=$mac idle_timeout=0 action=normal"
> $ofctl add-flow $bridge "in_port=$port priority=38000 idle_timeout=0 action=drop"
> }
>
> apply_restriction()
> {
> #we reading file $IP_RESTRICTION (f.e. /etc/xensource/ip_restriction.conf) and apply it
> #we supports only for openvswitch mode and silently ignore all others NETWORK_MODE
> if [[ $NETWORK_MODE != "openvswitch" ]]; then
> return 0
> fi
> vif=$(xenstore-read "${PRIVATE}/vif-uuid" 2>/dev/null)
> if [ -n "${vif}" ] ; then
> bridge=$(xenstore-read "${PRIVATE}/bridge")
> port=`$vsctl get Interface $dev ofport`
> if [ -n "${bridge}" -a -n "${port}" ]; then
> IP=`grep $vif $IP_RESTRICTION|head -n 1|awk '{print $2}'`
> if [ -n "${IP}" ]; then
> mac=$(xenstore-read "/local/domain/$DOMID/device/vif/$DEVID/mac" 2>/dev/null)
> restrict_ipv4
> #here will be autoselection between IPv4 and IPv6 address to apply different filters
> fi
> fi
>
> fi
>
> }
>
> clear_restriction()
> {
> #we clear all restriction for port
> #we supports only for openvswitch mode and silently ignore all others NETWORK_MODE
> if [[ $NETWORK_MODE != "openvswitch" ]]; then
> return 0
> fi
> port=`$vsctl get Interface $dev ofport`
> $ofctl del-flows xenbr1 "in_port=$port"
> logger -t scripts-vif "cleaning all restriction for port $port device $dev"
>
> }
>
210a261
> apply_restriction
223a275
> apply_restriction
231a284
> clear_restriction
_______________________________________________
xen-api mailing list
[email protected]
http://lists.xensource.com/mailman/listinfo/xen-api
