Hi, is it possible to enforce any kind of anti-spoofing in XVM? For example, with a Linux dom0 in bridge mode and using a combination of iptables and ebtables rules in the xen vif script, I can chain a domU to a given MAC and IP address(es) such that the ''evil user'' of that domU cannot spoof traffic destined for any other MAC and IP - they simply end up making their network connection unresponsive. Is it possible to somehow achieve the same under XVM? Many thanks, Matt. -- This message posted from opensolaris.org
On 21 Dec 2009, at 1:02pm, Matt wrote:> is it possible to enforce any kind of anti-spoofing in XVM? > > For example, with a Linux dom0 in bridge mode and using a combination of iptables and ebtables rules in the xen vif script, I can chain a domU to a given MAC and IP address(es) such that the ''evil user'' of that domU cannot spoof traffic destined for any other MAC and IP - they simply end up making their network connection unresponsive. > > Is it possible to somehow achieve the same under XVM?Link Protection (http://arc.opensolaris.org/caselog/PSARC/2009/436/) can be used to implement some (perhaps all) of what you want. Currently it''s not integrated into the xVM tools, so you have to do some manual manipulation of the properties of the vnic used by a guest.
Thanks, David. Could you please give me a little more info on what you mean by ''some manual manipulation of the properties of the vnic used by a guest''? - in the guest config, scripted in a vif script? Or maybe a small example? Many thanks, Matt. -- This message posted from opensolaris.org
On 23 Dec 2009, at 3:41pm, Matt wrote:> Could you please give me a little more info on what you mean by ''some manual manipulation of the properties of the vnic used by a guest''? - in the guest config, scripted in a vif script? Or maybe a small example?There''s no integration into the xVM tools currently, so you can either modify the scripts yourself or do things outside the scripts. You should note that I haven''t tried any of this... Before modifying the scripts, try enabling link protection manually. Something like: - boot the domain, - note the number of the domain (xm list) - let''s assume that it''s 237 in this example, - apply link protection to the link belonging to the guest: dladm set-linkprop \ -p protection=mac-nospoof,restricted xvm237_0 The definition of ''mac-nospoof'' and ''restricted'' are documented in the ARC materials (http://arc.opensolaris.org/caselog/PSARC/2009/436/final.materials/link_protect.txt). From the guest, now try sending packets which would violate the policy and check whether they appear on the wire. Using ''ip-nospoof'' is obviously a little more complicated, as you must specify the acceptable set of IP addresses. If this all works then I''d try updating the /usr/lib/xen/scripts/vif-vnic script to apply the relevant restrictions whenever a VNIC is created for a guest.
On Tue, Dec 29, 2009 at 7:24 PM, David Edmondson <dme@sun.com> wrote:> > On 23 Dec 2009, at 3:41pm, Matt wrote: > > Could you please give me a little more info on what you mean by ''some > manual manipulation of the properties of the vnic used by a guest''? - in the > guest config, scripted in a vif script? Or maybe a small example? > > There''s no integration into the xVM tools currently, so you can either > modify the scripts yourself or do things outside the scripts. > > You should note that I haven''t tried any of this... > > Before modifying the scripts, try enabling link protection manually. > Something like: > - boot the domain, > - note the number of the domain (xm list) - let''s assume that it''s 237 in > this example, > - apply link protection to the link belonging to the guest: > dladm set-linkprop \ > -p protection=mac-nospoof,restricted xvm237_0 >Note that dladm will give out a misleading error in this case: dladm: warning: invalid link property ''protection'' it''s because xvm vnics are created as temporary vnics (created with -t), so ''set-linkprop'' or ''reset-linkprop'' should also apply "-t" here. -Siwei> The definition of ''mac-nospoof'' and ''restricted'' are documented in the ARC > materials ( > http://arc.opensolaris.org/caselog/PSARC/2009/436/final.materials/link_protect.txt). > From the guest, now try sending packets which would violate the policy and > check whether they appear on the wire. > > Using ''ip-nospoof'' is obviously a little more complicated, as you must > specify the acceptable set of IP addresses. > > If this all works then I''d try updating the /usr/lib/xen/scripts/vif-vnic > script to apply the relevant restrictions whenever a VNIC is created for a > guest. > > _______________________________________________ > xen-discuss mailing list > xen-discuss@opensolaris.org >