Fedora xen - Sep 2006 - IP addresses used by domU

Hi
  
 I am having FC5 guest run on top FC5 host.I have  configured the virtual
network card for FC5 in the guest operating  system.This network card is
expected to have been allotted many IP  addresses.Is there a secure way in Xen
to get information as to what  are those IP''s?
  
  Thanks
  
  Sanjam

 			
---------------------------------
Get your own web address for just $1.99/1st yr. We''ll help. Yahoo!
Small Business.

On Thu, Sep 21, 2006 at 05:21:29AM -0700, Sanjam Garg
wrote:
> Hi
>   
>  I am having FC5 guest run on top FC5 host.I have  configured the virtual
> network card for FC5 in the guest operating  system.This network card is
> expected to have been allotted many IP  addresses.Is there a secure way
> in Xen to get information as to what  are those IP''s?
You don''t mention what mode you''ve got the Xen Dom0 networking
in, but I''ll
assume you''re using the Fedora default which is bridging. With
bridging, each
DomU''s virtual NIC gets pretty much directly connected to the physical
LAN.
As such Dom0 has no involvement in assigning IP addresses. The DomU will get
its IP address either manually (DomU admin setting it in /etc/sysconfig/...)
or automatically via DHCP. With bridging there isn''t really any 100%
reliable
way to determine what the DomU''s IP address is from Dom0.  You can take
a
best guess by sniffing the network traffic on the vif, but that''s all
it
is - a best ''guess''.

Dan
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=|

On Thu, Sep 21, 2006 at 10:50:11AM -0700, Sanjam Garg
wrote:
> thanks a lot.
>   
>  Your assumption on bridging was correct...but the fact is that i  
> cant use sniffing to make a guess as my system has constraints laid 
>  down by the intentions of the user who may use some packet source 
> IP  spoofing to mislead dom0.if thats all that can be done then i
> would  need to do something more rigrous...
When using bridging the network security concerns are pretty much exactly 
the same for those of a bare metal machine - the whole point of bridging
is that the guest is connecting directly to the LAN as any physical machine
would. 

Thus if you don''t trust the admin of the DomU then don''t let
them connect straight
to the network. For example, you can switch Xen to an alternative networking
config where DomU''s have to be forwarded & NAT''d using
IPTables to get LAN
access.  If you really want to use bridging I guess you could try filtering
out any traffic from the DomU''s particular vif which has an unexpected
source IP address, but really best bet is to go for NAT & remove their 
direct access


Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=|