thr3ads.net - Xen devel - [Xense-devel] [RFC][PATCH][ACM] enforcing ACM policy on network traffic between virtual network interfaces [Aug 2006]

If this information is useful, please help other people find it:
Share via:
Reiner Sailer
2006-Aug-31 04:52 UTC
[Xense-devel] [RFC][PATCH][ACM] enforcing ACM policy on network traffic between virtual network interfaces

This patch adds an ACM hook into the network scripts (/etc/xen/scripts). 
It  adds iptables rules that enforce mandatory access control on network 
packets exchanged between virtual interfaces. If ACM is active, this 
patch sets the default FORWARD policy in Dom0 to DROP and adds iptables 
ACCEPT rules between vifs that belong to domains that are permitted to 
share (determined by using the get_decision ACM hypervisor call). If ACM 
is not active, this patch is transparent to the operation of networking 
in Xen.

This topic was discussed here 
<http://lists.xensource.com/archives/html/xen-devel/2006-07/msg01005.html>
as were the implications. For example, the recent suggestion to move 
packets directly between physical and virtual interfaces to avoid 
running through the bridge 
<http://lists.xensource.com/archives/html/xen-devel/2006-08/msg01583.html>,
would, if implemented, bypass this access control unless those new 
mechanisms call the netfilter hooks that are called by the bridge.

Attached are examples for iptables rulesets in bridging, routing, 
nat-ing network setups. Also attached the patch.

Please note that many iptables rules shown below could be collapsed if 
we assumed that all domains are permitted to talk to Domain0, i.e., all 
vifX.Y can communicate to vif0.Y. In this case, we can just add two 
rules saying in/out traffic through vif0.Y is always ACCEPTed. This 
patch does currently not leverage this simplification because we 
anticipate that Domain0 will become less powerful than it is today.

Comments welcome.

Thanks
Reiner

The following show examples of routes related to running domains. The 
policy is setup so that domains 1,4, and 5 are permitted to communicate 
among each other and all domains can communicate with Domain0. ACM 
enforcement-related iptables rules are moved into the FORWARD chain; any 
antispoof rules go into the INPUT chain.

Example with 1 bridge and 5 domains:
=========================[root@941e-4 ~]# ip
Chain FORWARD (policy DROP 13 packets, 4302 bytes)
 pkts bytes target     prot opt in     out     source               
destination
 5329  445K ACCEPT     all  --  any    any     anywhere             
anywhere            PHYSDEV match --physdev-in peth0
 1593  272K ACCEPT     all  --  any    any     anywhere             
anywhere            PHYSDEV match --physdev-out peth0
    2  1152     ACCEPT     all  --  any    any     anywhere             
anywhere            PHYSDEV match --physdev-in vif1.0 --physdev-out vif0.0
  178 18153  ACCEPT     all  --  any    any     anywhere             
anywhere            PHYSDEV match --physdev-in vif0.0 --physdev-out vif1.0
    2  1152     ACCEPT     all  --  any    any     anywhere             
anywhere            PHYSDEV match --physdev-in vif2.0 --physdev-out vif0.0
  142 15519  ACCEPT     all  --  any    any     anywhere             
anywhere            PHYSDEV match --physdev-in vif0.0 --physdev-out vif2.0
    2  1152     ACCEPT     all  --  any    any     anywhere             
anywhere            PHYSDEV match --physdev-in vif3.0 --physdev-out vif0.0
   98 12646   ACCEPT     all  --  any    any     anywhere             
anywhere            PHYSDEV match --physdev-in vif0.0 --physdev-out vif3.0
    0     0 ACCEPT     all  --  any    any     anywhere             
anywhere            PHYSDEV match --physdev-in vif4.0 --physdev-out vif0.0
    0     0 ACCEPT     all  --  any    any     anywhere             
anywhere            PHYSDEV match --physdev-in vif0.0 --physdev-out vif4.0
    0     0 ACCEPT     all  --  any    any     anywhere             
anywhere            PHYSDEV match --physdev-in vif4.0 --physdev-out vif1.0
    0     0 ACCEPT     all  --  any    any     anywhere             
anywhere            PHYSDEV match --physdev-in vif1.0 --physdev-out vif4.0
    0     0 ACCEPT     all  --  any    any     anywhere             
anywhere            PHYSDEV match --physdev-in vif5.0 --physdev-out vif0.0
    0     0 ACCEPT     all  --  any    any     anywhere             
anywhere            PHYSDEV match --physdev-in vif0.0 --physdev-out vif5.0
    0     0 ACCEPT     all  --  any    any     anywhere             
anywhere            PHYSDEV match --physdev-in vif5.0 --physdev-out vif1.0
    0     0 ACCEPT     all  --  any    any     anywhere             
anywhere            PHYSDEV match --physdev-in vif1.0 --physdev-out vif5.0
    0     0 ACCEPT     all  --  any    any     anywhere             
anywhere            PHYSDEV match --physdev-in vif5.0 --physdev-out vif4.0
    0     0 ACCEPT     all  --  any    any     anywhere             
anywhere            PHYSDEV match --physdev-in vif4.0 --physdev-out vif5.0

Chain INPUT (policy ACCEPT 3343 packets, 312K bytes)
 pkts bytes target     prot opt in     out     source               
destination

Chain OUTPUT (policy ACCEPT 1595 packets, 269K bytes)
 pkts bytes target     prot opt in     out     source               
destination
[root@941e-4 ~]# xm list --label
Name                              ID Mem(MiB) VCPUs State  Time(s)  Label
domain1                            1      164     1 -b----     6.5  Avis
domain4                            4      164     1 -b----     6.6  Avis
domain5                            5      164     1 -b----     6.5  Avis
domain3                            3      164     1 -b----     6.6  CocaCola
domain2                            2      164     1 -b----     6.4  Hertz
Domain-0                          0     1948     4 r-----   218.4  
SystemManagement


Example for Nat:
===========[root@941e-4 ~]# iptables -L -v
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 ACCEPT     all  --  eth0   any     anywhere             anywhere
    0     0 ACCEPT     all  --  any    eth0    anywhere             anywhere
    0     0 ACCEPT     all  --  vif4.0 vif1.0  anywhere             anywhere
    0     0 ACCEPT     all  --  vif1.0 vif4.0  anywhere             anywhere
    0     0 ACCEPT     all  --  vif5.0 vif1.0  anywhere             anywhere
    0     0 ACCEPT     all  --  vif1.0 vif5.0  anywhere             anywhere
    0     0 ACCEPT     all  --  vif5.0 vif4.0  anywhere             anywhere
    0     0 ACCEPT     all  --  vif4.0 vif5.0  anywhere             anywhere

Chain INPUT (policy ACCEPT 37165 packets, 4945K bytes)
 pkts bytes target     prot opt in     out     source               
destination

Chain OUTPUT (policy ACCEPT 11709 packets, 7277K bytes)
 pkts bytes target     prot opt in     out     source               
destination
[root@941e-4 ~]# xm list --label
Name                              ID Mem(MiB) VCPUs State  Time(s)  Label
domain1                            1      164     1 -b----     0.3  Avis
domain4                            4      164     1 -b----     0.3  Avis
domain5                            5      164     1 -b----     0.3  Avis
domain3                            3      164     1 -b----     0.3  CocaCola
domain2                            2      164     1 -b----     0.3  Hertz
Domain-0                          0     1948     4 r-----   319.9  
SystemManagement


Example for Route (w/antispoof)
======================[root@941e-4 route]# ip
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 ACCEPT     all  --  eth0   any     anywhere             anywhere
    0     0 ACCEPT     all  --  any    eth0    anywhere             anywhere
    0     0 ACCEPT     all  --  vif2.0 vif1.0  anywhere             anywhere
    0     0 ACCEPT     all  --  vif1.0 vif2.0  anywhere             anywhere
Chain INPUT (policy DROP 48 packets, 2880 bytes)
 pkts bytes target     prot opt in     out     source               
destination
17099 2070K ACCEPT     all  --  eth0   *       0.0.0.0/0            
0.0.0.0/0
    0     0          ACCEPT     all  --  vif1.0 *       
9.2.15.138           0.0.0.0/0
    0     0          ACCEPT     all  --  vif2.0 *       
9.2.15.142           0.0.0.0/0
    0     0          ACCEPT     all  --  vif3.0 *       
9.2.15.139           0.0.0.0/0

Chain OUTPUT (policy ACCEPT 6792 packets, 3717K bytes)
 pkts bytes target     prot opt in     out     source               
destination
[root@941e-4 route]# xm list --label
Name                              ID Mem(MiB) VCPUs State  Time(s)  Label
domain1                            1      164     1 -b----     6.3  Avis
domain4                            2      164     1 -b----     0.3  Avis
domain2                            3      164     1 -b----     0.3  Hertz
Domain-0                          0     1948     4 r-----   236.2  
SystemManagement

Signed-off by: Reiner Sailer <sailer@us.ibm.com>




_______________________________________________
Xense-devel mailing list
Xense-devel@lists.xensource.com
http://lists.xensource.com/xense-devel
Reasonably Related Threads

Search for more possibly parallel threads
Xen devel - Aug 2006 - [Xense-devel] [RFC][PATCH][ACM] enforcing ACM policy on network traffic between virtual network interfaces

[Xense-devel] [RFC][PATCH][ACM] enforcing ACM policy on network traffic between virtual network interfaces

Reasonably Related Threads

Wisdom of the Ancients
