Xen devel - Sep 2008 - Successful IPv6 Xen Deployment; Protection Against IPv4 ARP Poisoning Attacks

Hi folks,

Stephen Spector suggested these questions may be best answered by the dev email
list.

My team and I have been working diligently since early this year working on
automation and deployment of Xen for a new VPS service at DynDNS. Along the way,
we decided to have IPv6 as one of our features, and had to make a handful of
changes to the Xen network scripts to successfully and safely do so in a VPS
environment.

While our priorities have first and foremost getting our Spring Server VPS
service out the door (which as of a few weeks ago, it is!), now I''d
like to see if the community could benefit from this work.

a) Have people already solved and dealt with IPv6 in Xen successfully (i.e., is
it a non-issue at this point)? If not, I''d be happy to submit the
changes and a guide to making it work and work well.

Along the way, we also ran into some issues where domUs were able to:

1) "steal" IP addresses through IP aliasing (e.g., domU has 1.2.3.4,
and domU root does "ifconfig eth0:0 1.2.3.5/32" in Linux, and now has
two working IPs),
2) and more importantly, were able to impact the network connectivity of another
domU by aliasing or assigning its in-use IP address,
3) and MOST importantly, were able to impact the network connectivity for all
domUs on a subnet by aliasing a gateway IP address (e.g., in Linux
"ifconfig 1.2.3.1" for a typical /24 subnet).
4) Also, sending out invalid or poisoned ARP packets from one domU were able to
introduce network connectivity problems for other domUs.

We were able to make a handful of changes to the Xen scripts to resolve these
issues as well for safe and secure operation (especially for a VPS environment,
where individual owners of domUs are likely unrelated to each other).

b) As above, have folks already addressed these issues for stealing IPs/ARP
poisoning? Have they just not encountered them yet? Would it be useful to submit
these modifications for review by the community?

We''re more than happy to help, just don''t want to duplicate
work or step on anyone''s toes for work they already have in progress.

Best regards,

Cory von Wallenstein
Spring Server Engineer
Dynamic Network Services
http://www.dyndns.com

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Cory Von Wallenstein schreef:
> We''re more than happy to help, just don''t want to
duplicate work or step on anyone''s toes for work they already have in
progress.
I think people here are more than happy to receive the patches! Anyway
I''m interested ;)



Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREKAAYFAkjZTpcACgkQYH1+F2Rqwn29BQCfU5umxeMeaGOsc9dBPGVsO7OW
/JAAninukDBoU69JQP9TBK9liV42GIvl
=ghle
-----END PGP SIGNATURE-----

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Cory Von Wallenstein <cvonwallenstein@dyn-inc.com> writes:

> a) Have people already solved and dealt with IPv6 in Xen successfully
(i.e., is it a non-issue at this point)? If not, I''d be happy to submit
the changes and a guide to making it work and work well.
Guides would be awesome.  Also, if you made anti-spoof work for IPv6, that 
would also be awesome.

I''ve had IPv6 going for a while with no problems (though the xen
antispoof
rules only work with IPv4.)  - but I didn''t  even need to enable IPv6
in the
Dom0;  it''s a layer 2 bridge, so it just works.  In fact, stateless 
autoconfiguration even worked.   I asked for an IPv6 allocation from
my provider and my customers noticed it was working before I got around to
doing any setup at all.

what problems did you hit with IPv6?
> Along the way, we also ran into some issues where domUs were able to:
> 
> 1) "steal" IP addresses through IP aliasing (e.g., domU has
1.2.3.4, and domU root does "ifconfig eth0:0 1.2.3.5/32" in Linux, and
now has two working IPs),
> 2) and more importantly, were able to impact the network connectivity of
another domU by aliasing or assigning its in-use IP address,
> 3) and MOST importantly, were able to impact the network connectivity for
all domUs on a subnet by aliasing a gateway IP address (e.g., in Linux
"ifconfig 1.2.3.1" for a typical /24 subnet).
See the Xen antispoof functionality.  you specify the IPv4 address 
for the DomU in the xm config file, and it adds firewall rules to drop IPv4 
packets from the DomU that are not from its assigned address.  it works
well.  (you need to make your firewall put your bridge packets
through the forward chain, but after that it works well)  

If you have this working with IPv6, though, that would be really awesome.
> 4) Also, sending out invalid or poisoned ARP packets from one domU were
able to introduce network connectivity problems for other domUs.
The Xen networking scripts, I believe, don''t currently have anything
that
stops mac spoofing/arp cache poisioning.  Something like that would be
pretty nice, though. (It would allow me to trust my interface counters
again)
> b) As above, have folks already addressed these issues for stealing IPs/ARP
poisoning? Have they just not encountered them yet? Would it be useful to submit
these modifications for review by the community?
the antispoof stuff in xen works fine for IPv4, but we''ve got nothing
for ARP poisoning, or for antispoof in IPv6.  both would be nice.


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

> I think people here are more than happy to receive the patches! Anyway
> I''m interested ;)
Me too :)

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

I apologize folks for not getting back to the list in a timely matter. Alas,
duty called.

I''ve put together a guide, as well as my patches, for:

a) Getting IPv6 anti-spoofing to work.
b) Preventing ARP poisoning attacks that can bring down IPv4 communication on a
subnet.
c) Preventing IPv4 packet sniffing.

The guide walking through the "method to my madness" is on my
engineering blog:

http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/

I walk through the specific iptables, ip6tables, and arptables rules I found
necessary there.

The modified networking scripts are vif-common.sh, vif-bridge, and
network-bridge. Diffs are attached. By no means do I consider these "THE
answer", but have worked well for what we have in the field, and I welcome
suggestions for improvements.

Hope these help folks looking to use Xen for VPS hosting.

-- 
Cory von Wallenstein 
Dynamic Network Services Inc. 
P: +1.508.340.0958 
http://dynamicnetworkservices.com/ 

----- Original Message -----
From: "Luke S Crawford" <lsc@prgmr.com>
To: "Cory Von Wallenstein" <cvonwallenstein@dyn-inc.com>
Cc: xen-devel@lists.xensource.com, "Stephen Spector"
<stephen.spector@citrix.com>
Sent: Friday, September 26, 2008 9:58:19 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Xen-devel] Successful IPv6 Xen Deployment; Protection Against IPv4
ARP Poisoning Attacks

Cory Von Wallenstein <cvonwallenstein@dyn-inc.com> writes:

> a) Have people already solved and dealt with IPv6 in Xen successfully
(i.e., is it a non-issue at this point)? If not, I''d be happy to submit
the changes and a guide to making it work and work well.
Guides would be awesome.  Also, if you made anti-spoof work for IPv6, that 
would also be awesome.

I''ve had IPv6 going for a while with no problems (though the xen
antispoof
rules only work with IPv4.)  - but I didn''t  even need to enable IPv6
in the
Dom0;  it''s a layer 2 bridge, so it just works.  In fact, stateless 
autoconfiguration even worked.   I asked for an IPv6 allocation from
my provider and my customers noticed it was working before I got around to
doing any setup at all.

what problems did you hit with IPv6?
> Along the way, we also ran into some issues where domUs were able to:
> 
> 1) "steal" IP addresses through IP aliasing (e.g., domU has
1.2.3.4, and domU root does "ifconfig eth0:0 1.2.3.5/32" in Linux, and
now has two working IPs),
> 2) and more importantly, were able to impact the network connectivity of
another domU by aliasing or assigning its in-use IP address,
> 3) and MOST importantly, were able to impact the network connectivity for
all domUs on a subnet by aliasing a gateway IP address (e.g., in Linux
"ifconfig 1.2.3.1" for a typical /24 subnet).
See the Xen antispoof functionality.  you specify the IPv4 address 
for the DomU in the xm config file, and it adds firewall rules to drop IPv4 
packets from the DomU that are not from its assigned address.  it works
well.  (you need to make your firewall put your bridge packets
through the forward chain, but after that it works well)  

If you have this working with IPv6, though, that would be really awesome.
> 4) Also, sending out invalid or poisoned ARP packets from one domU were
able to introduce network connectivity problems for other domUs.
The Xen networking scripts, I believe, don''t currently have anything
that
stops mac spoofing/arp cache poisioning.  Something like that would be
pretty nice, though. (It would allow me to trust my interface counters
again)
> b) As above, have folks already addressed these issues for stealing IPs/ARP
poisoning? Have they just not encountered them yet? Would it be useful to submit
these modifications for review by the community?
the antispoof stuff in xen works fine for IPv4, but we''ve got nothing
for ARP poisoning, or for antispoof in IPv6.  both would be nice.





_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On Fri, Oct 10, 2008 at 4:09 AM, Cory Von Wallenstein
<cvonwallenstein@dyn-inc.com> wrote:
> I apologize folks for not getting back to the list in a timely matter.
Alas, duty called.
No apology is needed.  Greatly appreciate your sharing/contribution :)
> I''ve put together a guide, as well as my patches, for:
>
> a) Getting IPv6 anti-spoofing to work.
> b) Preventing ARP poisoning attacks that can bring down IPv4 communication
on a subnet.
> c) Preventing IPv4 packet sniffing.
>
> The guide walking through the "method to my madness" is on my
engineering blog:
>
>
http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/
Nice blog and many thanks for your effort to put up such informative
blog related to Xen.
>
> The modified networking scripts are vif-common.sh, vif-bridge, and
network-bridge. Diffs are attached. By no means do I consider these "THE
answer", but have worked well for what we have in the field, and I welcome
suggestions for improvements.
I have a suggestion since I just tried your patches in one of my test
server.  All my servers are with two NICs at least and running with
xen-3.3.0.  I encountered domU can''t be started and when I check
/var/log/xen/xen-hotplug.log as below:

/etc/xen/scripts/vif-common.sh: line 261: [: : unary operator expected
Nothing to flush.
cat: /etc/xen/domU.cfg: No such file or directory
Nothing to flush.
/etc/xen/scripts/vif-common.sh: line 261: [: : unary operator expected
Nothing to flush.
Nothing to flush.
cat: /etc/xen/domU.cfg: No such file or directory
/etc/xen/scripts/vif-common.sh: line 261: [: : unary operator expected

So in vif-common.sh I modified from yours as below:

DOMU_CONFIG=`cat /etc/xen/${DOMU_NAME}.cfg`

to:

if [ -f "/etc/xen/${DOMU_NAME}" ] ; then
    DOMU_CONFIG=`cat /etc/xen/${DOMU_NAME}`
elsif [ -f "/etc/xen/${DOMU_NAME}.cfg" ] ; then
    DOMU_CONFIG=`cat /etc/xen/${DOMU_NAME}.cfg`
else
    DOMU_CONFIG=""
fi

After the above changes, I am able to start my domU as per normal.  I
am using /etc/xen/${DOMU_NAME} instead of with .cfg extension for my
domU config files.

Once again, thanks.

Kindest regards,
Giam Teck Choon

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

> elsif [ -f "/etc/xen/${DOMU_NAME}.cfg" ] ; then
Sorry typo should be:
elif [ -f "/etc/xen/${DOMU_NAME}.cfg" ] ; then

Kindest regards,
Giam Teck Choon

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel