Daniel Pocock
2013-Jul-08 08:33 UTC
[Pkg-xen-devel] Bug#715333: IPv6 security risks with XCP dom0
Package: xcp-xapi Version: 1.3.2-14 Severity: important I understand that XCP version 1.3 doesn't support IPv6 This blog talks about enabling it in v1.6: http://jeffloughridge.wordpress.com/2013/06/16/ipv6-in-xcp-1-6/ However, one observation that I have made is that the dom0 host, in a default wheezy installation, has kernel IPv6 enabled and appears to have a link-local address on every interface for every domU. This means that the dom0 has IP connectivity to every domU, even if some of the domUs are configured behind a virtual firewall and not explicitly bridged to the dom0 A workaround would simply be explicitly disabling IPv6 in dom0 (e.g. removing the kernel module) as it is not supported by the dom0 tools on wheezy anyway. However, it may be prudent for the network setup scripts to explicitly ensure that the dom0 doesn't have link-local addresses on the virtual bridges unless the dom0 except in those cases where the dom0 is meant to participate in a particular bridge.
Debian Bug Tracking System
2014-Mar-02 18:46 UTC
[Pkg-xen-devel] Bug#715333: marked as done (IPv6 security risks with XCP dom0)
Your message dated Sun, 02 Mar 2014 18:42:06 +0000 with message-id <E1WKBKw-0004SD-Mw at franck.debian.org> and subject line Bug#740517: Removed package(s) from unstable has caused the Debian Bug report #715333, regarding IPv6 security risks with XCP dom0 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 715333: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=715333 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Daniel Pocock <daniel at pocock.com.au> Subject: IPv6 security risks with XCP dom0 Date: Mon, 08 Jul 2013 10:33:16 +0200 Size: 2779 URL: <http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20140302/269a8ac6/attachment.mht> -------------- next part -------------- An embedded message was scrubbed... From: Debian FTP Masters <ftpmaster at ftp-master.debian.org> Subject: Bug#740517: Removed package(s) from unstable Date: Sun, 02 Mar 2014 18:42:06 +0000 Size: 3078 URL: <http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20140302/269a8ac6/attachment-0001.mht>