Xen users - May 2010 - XCP Xen Cloud Control System ver 0.3 released!

Greetings all!
    I''ve just released ver 0.3 of the Xen Cloud Control System! Changes
for 0.3 include:

Lots of user interface improvements

overall pool status display implemented

storage repository info implemented

pool host info implemented

VM virtual disk storage resize implemented

manually shift to the alternate pool master implemented

manually shift to the primary pool master implemented

all functions are now available when running from the alternate pool master

XCCS now has a real installer script, YAY!

Things left on the todo list:

expand VM creator capability (ongoing)

multitenancy (ver 0.4)

VM import and export (ver 0.4)

Whatever else anyone can come up with :)

As always, XCCS 0.3 is available for download from 
http://www.xencloudcontrol.com.

Vern
SwiftWater Telecom
http://www.swiftwatertel.com
Xen Cloud Control System
http://www.xencloudcontrol.com



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Great job!

Is there anything in the pipeline regarding networking? Would be awesome 
if it was able to create "Virtual Switches" (aka bridges) and internal
private networks..

Cheers

On 24/05/10 19:23, Vern Burke wrote:
> Greetings all!
>    I''ve just released ver 0.3 of the Xen Cloud Control System!
Changes
> for 0.3 include:
>
> Lots of user interface improvements
>
> overall pool status display implemented
>
> storage repository info implemented
>
> pool host info implemented
>
> VM virtual disk storage resize implemented
>
> manually shift to the alternate pool master implemented
>
> manually shift to the primary pool master implemented
>
> all functions are now available when running from the alternate pool 
> master
>
> XCCS now has a real installer script, YAY!
>
> Things left on the todo list:
>
> expand VM creator capability (ongoing)
>
> multitenancy (ver 0.4)
>
> VM import and export (ver 0.4)
>
> Whatever else anyone can come up with :)
>
> As always, XCCS 0.3 is available for download from 
> http://www.xencloudcontrol.com.
>
> Vern
> SwiftWater Telecom
> http://www.swiftwatertel.com
> Xen Cloud Control System
> http://www.xencloudcontrol.com
>
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Thanks Jonathan!
    I do have various networking things on the dance card, but, since 
I''m running a production public cloud, my focus has been on day to day 
automation plus automatic disaster recovery (vm and host watchdogs) and 
the load balancer. I''m trying to avoid the Amazon bozo model
(can''t
restart VMs from a failed host and then take 5-6 hours to restart VMs 
when the host is back up).

I have dynamic pool resizing in test on the stunt cloud (when load is 
low, it will automatically shut down hosts, when load picks up, it will 
automatically restart hosts), I''ll probably add VM import and export as
a .1 release in the next week, basic multitenancy will probably come in 
the next week or so, then I''ll see if I can get it to perform some 
networking tricks :).

Of course, schedule is subject to modification (I''m in the middle of an
intense build out of another 1000 sq ft of data center space with all 
the green goodies which will, coincidently, be the new home of the 
production cloud) :).

Vern
SwiftWater Telecom
http://www.swiftwatertel.com
Xen Cloud Control System
http://www.xencloudcontrol.com

On 5/24/2010 3:58 PM, Jonathan Tripathy wrote:
> Great job!
>
> Is there anything in the pipeline regarding networking? Would be 
> awesome if it was able to create "Virtual Switches" (aka bridges)
and
> internal private networks..
>
> Cheers
>
> On 24/05/10 19:23, Vern Burke wrote:
>> Greetings all!
>>    I''ve just released ver 0.3 of the Xen Cloud Control System!
>> Changes for 0.3 include:
>>
>> Lots of user interface improvements
>>
>> overall pool status display implemented
>>
>> storage repository info implemented
>>
>> pool host info implemented
>>
>> VM virtual disk storage resize implemented
>>
>> manually shift to the alternate pool master implemented
>>
>> manually shift to the primary pool master implemented
>>
>> all functions are now available when running from the alternate pool 
>> master
>>
>> XCCS now has a real installer script, YAY!
>>
>> Things left on the todo list:
>>
>> expand VM creator capability (ongoing)
>>
>> multitenancy (ver 0.4)
>>
>> VM import and export (ver 0.4)
>>
>> Whatever else anyone can come up with :)
>>
>> As always, XCCS 0.3 is available for download from 
>> http://www.xencloudcontrol.com.
>>
>> Vern
>> SwiftWater Telecom
>> http://www.swiftwatertel.com
>> Xen Cloud Control System
>> http://www.xencloudcontrol.com
>>
>>
>>
>> _______________________________________________
>> Xen-users mailing list
>> Xen-users@lists.xensource.com
>> http://lists.xensource.com/xen-users
>

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Vern!

Excellent stuff!

I''m hoping to provide XCP based solutions to my customers as well.
I''ll
have a play around with your software and give you some proper feedback, 
but something tells me that I won''t be disappointed!

So currently, regarding networking and security, what are you hoping to 
do regarding your customers'' VMs? What are you thinking of doing to 
prevent "breaking out of the VM", or packet sniffing, and also 
protecting the Dom0?

We''re a Ubuntu house, so our DomUs will have to be Ubuntu...

Cheers

Jonathan

On 24/05/10 21:18, Vern Burke wrote:
> Thanks Jonathan!
>    I do have various networking things on the dance card, but, since 
> I''m running a production public cloud, my focus has been on day to
day
> automation plus automatic disaster recovery (vm and host watchdogs) 
> and the load balancer. I''m trying to avoid the Amazon bozo model 
> (can''t restart VMs from a failed host and then take 5-6 hours to 
> restart VMs when the host is back up).
>
> I have dynamic pool resizing in test on the stunt cloud (when load is 
> low, it will automatically shut down hosts, when load picks up, it 
> will automatically restart hosts), I''ll probably add VM import and
> export as a .1 release in the next week, basic multitenancy will 
> probably come in the next week or so, then I''ll see if I can get
it to
> perform some networking tricks :).
>
> Of course, schedule is subject to modification (I''m in the middle
of
> an intense build out of another 1000 sq ft of data center space with 
> all the green goodies which will, coincidently, be the new home of the 
> production cloud) :).
>
> Vern
> SwiftWater Telecom
> http://www.swiftwatertel.com
> Xen Cloud Control System
> http://www.xencloudcontrol.com
>
> On 5/24/2010 3:58 PM, Jonathan Tripathy wrote:
>> Great job!
>>
>> Is there anything in the pipeline regarding networking? Would be 
>> awesome if it was able to create "Virtual Switches" (aka
bridges) and
>> internal private networks..
>>
>> Cheers
>>
>> On 24/05/10 19:23, Vern Burke wrote:
>>> Greetings all!
>>>    I''ve just released ver 0.3 of the Xen Cloud Control
System!
>>> Changes for 0.3 include:
>>>
>>> Lots of user interface improvements
>>>
>>> overall pool status display implemented
>>>
>>> storage repository info implemented
>>>
>>> pool host info implemented
>>>
>>> VM virtual disk storage resize implemented
>>>
>>> manually shift to the alternate pool master implemented
>>>
>>> manually shift to the primary pool master implemented
>>>
>>> all functions are now available when running from the alternate
pool
>>> master
>>>
>>> XCCS now has a real installer script, YAY!
>>>
>>> Things left on the todo list:
>>>
>>> expand VM creator capability (ongoing)
>>>
>>> multitenancy (ver 0.4)
>>>
>>> VM import and export (ver 0.4)
>>>
>>> Whatever else anyone can come up with :)
>>>
>>> As always, XCCS 0.3 is available for download from 
>>> http://www.xencloudcontrol.com.
>>>
>>> Vern
>>> SwiftWater Telecom
>>> http://www.swiftwatertel.com
>>> Xen Cloud Control System
>>> http://www.xencloudcontrol.com
>>>
>>>
>>>
>>> _______________________________________________
>>> Xen-users mailing list
>>> Xen-users@lists.xensource.com
>>> http://lists.xensource.com/xen-users
>>
>
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Jonathan:
   I don't think there's much to do about preventing someone breaking
out of a DomU. As I've said before, that would have to be a severe fubar of
the hypervisor and it's not likely.

Protecting the Dom0 is really nothing more than the standard best practices for
any Internet connected server.

If you're really concerned about packet sniffing you could always use a
private vswitch and use a Vyatta virtual router and VPN out to wherever
you're going.

Vern
Sent from my BlackBerry® wireless device from U.S. Cellular

-----Original Message-----
From: Jonathan Tripathy <jonnyt@abpni.co.uk>
Date: Mon, 24 May 2010 22:14:56 
To: Vern Burke<vburke@skow.net>; <Xen-users@lists.xensource.com>
Subject: Re: [Xen-users] XCP Xen Cloud Control System ver 0.3 released!

Vern!

Excellent stuff!

I'm hoping to provide XCP based solutions to my customers as well. I'll 
have a play around with your software and give you some proper feedback, 
but something tells me that I won't be disappointed!

So currently, regarding networking and security, what are you hoping to 
do regarding your customers' VMs? What are you thinking of doing to 
prevent "breaking out of the VM", or packet sniffing, and also 
protecting the Dom0?

We're a Ubuntu house, so our DomUs will have to be Ubuntu...

Cheers

Jonathan

On 24/05/10 21:18, Vern Burke wrote:
> Thanks Jonathan!
>    I do have various networking things on the dance card, but, since 
> I'm running a production public cloud, my focus has been on day to day 
> automation plus automatic disaster recovery (vm and host watchdogs) 
> and the load balancer. I'm trying to avoid the Amazon bozo model 
> (can't restart VMs from a failed host and then take 5-6 hours to 
> restart VMs when the host is back up).
>
> I have dynamic pool resizing in test on the stunt cloud (when load is 
> low, it will automatically shut down hosts, when load picks up, it 
> will automatically restart hosts), I'll probably add VM import and 
> export as a .1 release in the next week, basic multitenancy will 
> probably come in the next week or so, then I'll see if I can get it to 
> perform some networking tricks :).
>
> Of course, schedule is subject to modification (I'm in the middle of 
> an intense build out of another 1000 sq ft of data center space with 
> all the green goodies which will, coincidently, be the new home of the 
> production cloud) :).
>
> Vern
> SwiftWater Telecom
> http://www.swiftwatertel.com
> Xen Cloud Control System
> http://www.xencloudcontrol.com
>
> On 5/24/2010 3:58 PM, Jonathan Tripathy wrote:
>> Great job!
>>
>> Is there anything in the pipeline regarding networking? Would be 
>> awesome if it was able to create "Virtual Switches" (aka
bridges) and
>> internal private networks..
>>
>> Cheers
>>
>> On 24/05/10 19:23, Vern Burke wrote:
>>> Greetings all!
>>>    I've just released ver 0.3 of the Xen Cloud Control System! 
>>> Changes for 0.3 include:
>>>
>>> Lots of user interface improvements
>>>
>>> overall pool status display implemented
>>>
>>> storage repository info implemented
>>>
>>> pool host info implemented
>>>
>>> VM virtual disk storage resize implemented
>>>
>>> manually shift to the alternate pool master implemented
>>>
>>> manually shift to the primary pool master implemented
>>>
>>> all functions are now available when running from the alternate
pool
>>> master
>>>
>>> XCCS now has a real installer script, YAY!
>>>
>>> Things left on the todo list:
>>>
>>> expand VM creator capability (ongoing)
>>>
>>> multitenancy (ver 0.4)
>>>
>>> VM import and export (ver 0.4)
>>>
>>> Whatever else anyone can come up with :)
>>>
>>> As always, XCCS 0.3 is available for download from 
>>> http://www.xencloudcontrol.com.
>>>
>>> Vern
>>> SwiftWater Telecom
>>> http://www.swiftwatertel.com
>>> Xen Cloud Control System
>>> http://www.xencloudcontrol.com
>>>
>>>
>>>
>>> _______________________________________________
>>> Xen-users mailing list
>>> Xen-users@lists.xensource.com
>>> http://lists.xensource.com/xen-users
>>
>
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi Verne,

a fine job!

Do you assign domU addresses from a DHCP server and if so how do you stop
a rogue VM from running it''s own DHCP server and answering DHCP
requests
from other domUs as they start up?

The default config for XCP does let a domU spoof IP addresses.  I asked
some questions on the openvswitch list recently and I get the impression
that with a separate flow controller box you could do some quite
fine-grained control of network properties even through migration.

What plans do you have for the multi-tenancy side of things? - if you need
any help with database development or the web frontend I would be more
than willing to help out (thats my background).


Cheers,

Matt

On Mon, May 24, 2010 11:09 pm, Vern Burke wrote:
> Jonathan:
>    I don''t think there''s much to do about preventing
someone breaking out
> of a DomU. As I''ve said before, that would have to be a severe
fubar of
> the hypervisor and it''s not likely.
>
> Protecting the Dom0 is really nothing more than the standard best
> practices for any Internet connected server.
>
> If you''re really concerned about packet sniffing you could always
use a
> private vswitch and use a Vyatta virtual router and VPN out to wherever
> you''re going.
>
> Vern
> Sent from my BlackBerry® wireless device from U.S. Cellular


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

I only do static IP assignments on the VMs. I have no idea how you''d 
stop a VM from running a DHCP server from outside the VM (not that I can 
imagine why anyone would want to do that anyways). The best answer I''ve
found for a lot of shennanigans is a zero tolerance policy in the terms 
of service (do it and you''re gone, period).

Openflow looks like it might be useful except I''m not seeing much for 
controllers. I''m still pondering how to make best use of the 
capabilities of openvswitch.

XCCS multitenancy will provide a reduced set of functions to customers 
for controlling their own VMs with the end goal being self provisioning 
and automatic billing.

Vern


On 5/25/2010 4:49 AM, Matthew Law wrote:
> Hi Verne,
>
> a fine job!
>
> Do you assign domU addresses from a DHCP server and if so how do you stop
> a rogue VM from running it''s own DHCP server and answering DHCP
requests
> from other domUs as they start up?
>
> The default config for XCP does let a domU spoof IP addresses.  I asked
> some questions on the openvswitch list recently and I get the impression
> that with a separate flow controller box you could do some quite
> fine-grained control of network properties even through migration.
>
> What plans do you have for the multi-tenancy side of things? - if you need
> any help with database development or the web frontend I would be more
> than willing to help out (thats my background).
>
>
> Cheers,
>
> Matt
>
> On Mon, May 24, 2010 11:09 pm, Vern Burke wrote:
>    
>> Jonathan:
>>     I don''t think there''s much to do about preventing
someone breaking out
>> of a DomU. As I''ve said before, that would have to be a severe
fubar of
>> the hypervisor and it''s not likely.
>>
>> Protecting the Dom0 is really nothing more than the standard best
>> practices for any Internet connected server.
>>
>> If you''re really concerned about packet sniffing you could
always use a
>> private vswitch and use a Vyatta virtual router and VPN out to wherever
>> you''re going.
>>
>> Vern
>> Sent from my BlackBerry® wireless device from U.S. Cellular
>>      
>
>
>    

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

You could try this:
http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/
 
Don''t know if it will stop DHCP broadcasts, but maybe...

________________________________

From: Vern Burke [mailto:vburke@skow.net]
Sent: Tue 25/05/2010 15:04
To: matt@webcontracts.co.uk
Cc: Jonathan Tripathy; xen-users@lists.xensource.com
Subject: Re: [Xen-users] XCP Xen Cloud Control System ver 0.3 released!



I only do static IP assignments on the VMs. I have no idea how you''d
stop a VM from running a DHCP server from outside the VM (not that I can
imagine why anyone would want to do that anyways). The best answer I''ve
found for a lot of shennanigans is a zero tolerance policy in the terms
of service (do it and you''re gone, period).

Openflow looks like it might be useful except I''m not seeing much for
controllers. I''m still pondering how to make best use of the
capabilities of openvswitch.

XCCS multitenancy will provide a reduced set of functions to customers
for controlling their own VMs with the end goal being self provisioning
and automatic billing.

Vern


On 5/25/2010 4:49 AM, Matthew Law wrote:
> Hi Verne,
>
> a fine job!
>
> Do you assign domU addresses from a DHCP server and if so how do you stop
> a rogue VM from running it''s own DHCP server and answering DHCP
requests
> from other domUs as they start up?
>
> The default config for XCP does let a domU spoof IP addresses.  I asked
> some questions on the openvswitch list recently and I get the impression
> that with a separate flow controller box you could do some quite
> fine-grained control of network properties even through migration.
>
> What plans do you have for the multi-tenancy side of things? - if you need
> any help with database development or the web frontend I would be more
> than willing to help out (thats my background).
>
>
> Cheers,
>
> Matt
>
> On Mon, May 24, 2010 11:09 pm, Vern Burke wrote:
>   
>> Jonathan:
>>     I don''t think there''s much to do about preventing
someone breaking out
>> of a DomU. As I''ve said before, that would have to be a severe
fubar of
>> the hypervisor and it''s not likely.
>>
>> Protecting the Dom0 is really nothing more than the standard best
>> practices for any Internet connected server.
>>
>> If you''re really concerned about packet sniffing you could
always use a
>> private vswitch and use a Vyatta virtual router and VPN out to wherever
>> you''re going.
>>
>> Vern
>> Sent from my BlackBerry® wireless device from U.S. Cellular
>>     
>
>
>   




_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Tue, May 25, 2010 3:24 pm, Jonathan Tripathy wrote:
> You could try this:
>
http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/
>
> Don''t know if it will stop DHCP broadcasts, but maybe...
That article is more relevant to vanilla Xen with the linux bridge.  It
would stop a VM from assigning itself the IPv4 or v6 address of another
VM.  DHCP requests are broadcast so it would be valid for a VM to see it
and nothing would stop it from replying.

XCP uses openvswitch, so you would need to add some flow rules to ovs. One
to stop the IP spoofing and one to specify which hosts (and possibly
ports) are allowed to answer DHCP requests.  I''ve been playing with it
on
and off for a while now.  I''ll crack it, I''m sure, but
haven''t yet.

Openvswitch looks really powerful or at least has potential to be but
there isn''t much documentation which is why I am struggling a bit.


Cheers,

Matt.



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Tue, 2010-05-25 at 10:04 -0400, Vern Burke wrote:
> I only do static IP assignments on the VMs. I have no idea how
you''d
> stop a VM from running a DHCP server from outside the VM (not that I can 
> imagine why anyone would want to do that anyways). The best answer
I''ve
> found for a lot of shennanigans is a zero tolerance policy in the terms 
> of service (do it and you''re gone, period).
> 
One approach to monitoring for rogue DHCP servers is to monitor the
local LAN by soliciting DHCP requests and checking the offer source(s)
against what is expected. A probe is necessary per vlan.

We''ve written something like this for our own product. The code is not
complex.

Frank


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Tue, May 25, 2010 at 10:04:26AM -0400, Vern Burke
wrote:
> I only do static IP assignments on the VMs. I have no idea how
you''d
> stop a VM from running a DHCP server from outside the VM (not that I
> can imagine why anyone would want to do that anyways). The best
> answer I''ve found for a lot of shennanigans is a zero tolerance
> policy in the terms of service (do it and you''re gone, period).
>From http://en.wikipedia.org/wiki/DHCP: "DHCP uses the same two ports
assigned
by IANA for BOOTP: 67/udp for sending data to the server, and 68/udp for data
to the client."

You could simply filter packets on port 67/udp towards the VM, so it
doesn''t
see the requests, and on port 68/udp from the VM, so it''s not able to
reply.

regards,
iustin

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On 25/05/10 20:13, Iustin Pop wrote:
> On Tue, May 25, 2010 at 10:04:26AM -0400, Vern Burke wrote:
>    
>> I only do static IP assignments on the VMs. I have no idea how
you''d
>> stop a VM from running a DHCP server from outside the VM (not that I
>> can imagine why anyone would want to do that anyways). The best
>> answer I''ve found for a lot of shennanigans is a zero
tolerance
>> policy in the terms of service (do it and you''re gone,
period).
>>      
>  From http://en.wikipedia.org/wiki/DHCP: "DHCP uses the same two ports
assigned
> by IANA for BOOTP: 67/udp for sending data to the server, and 68/udp for
data
> to the client."
>
> You could simply filter packets on port 67/udp towards the VM, so it
doesn''t
> see the requests, and on port 68/udp from the VM, so it''s not able
to reply.
>
> regards,
> iustin
>    
If that was the case, woudn''t my idea of using:

http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/

work?

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Tue, May 25, 2010 at 08:22:00PM +0100, Jonathan Tripathy
wrote:
> 
> On 25/05/10 20:13, Iustin Pop wrote:
> >On Tue, May 25, 2010 at 10:04:26AM -0400, Vern Burke wrote:
> >>I only do static IP assignments on the VMs. I have no idea how
you''d
> >>stop a VM from running a DHCP server from outside the VM (not that
I
> >>can imagine why anyone would want to do that anyways). The best
> >>answer I''ve found for a lot of shennanigans is a zero
tolerance
> >>policy in the terms of service (do it and you''re gone,
period).
> > From http://en.wikipedia.org/wiki/DHCP: "DHCP uses the same two
ports assigned
> >by IANA for BOOTP: 67/udp for sending data to the server, and 68/udp
for data
> >to the client."
> >
> >You could simply filter packets on port 67/udp towards the VM, so it
doesn''t
> >see the requests, and on port 68/udp from the VM, so it''s not
able to reply.
> >
> >regards,
> >iustin
> If that was the case, woudn''t my idea of using:
> 
>
http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/
> 
> work?
Well, that page is a little long, but if you refer to iptables + match
on physdev, yes, that should work, and one needs to add port-based
filtering too. I''m not familiar with arptables, sorry.

regards,
iustin

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On 2010-05-25, at 3:15 PM, "Iustin Pop" <iusty@k1024.org> wrote:
> On Tue, May 25, 2010 at 10:04:26AM -0400, Vern Burke wrote:
>> I only do static IP assignments on the VMs. I have no idea how
you''d
>> stop a VM from running a DHCP server from outside the VM (not that I
>> can imagine why anyone would want to do that anyways). The best
>> answer I''ve found for a lot of shennanigans is a zero
tolerance
>> policy in the terms of service (do it and you''re gone,
period).
>
>> From http://en.wikipedia.org/wiki/DHCP: "DHCP uses the same two  
>> ports assigned
> by IANA for BOOTP: 67/udp for sending data to the server, and 68/udp  
> for data
> to the client."
>
> You could simply filter packets on port 67/udp towards the VM, so it  
> doesn''t
> see the requests, and on port 68/udp from the VM, so it''s not able
> to reply.
>
> regards,
> iustin
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
The original question was that a VM''s IP is configured by a DHCP  
server and the concern was that they did not want a rogue DHCP server  
to cause problems. So if the solution is to use iptables, you can not  
just block udp ports, but you would have to have pass rules from the  
legitate IP addresses. Using ebtables may also help for link-layer  
protocols.

It''s always good practice to know the communications and data flows in
your environment. Testing for rogue servers doing dhcp is a good idea,  
especially with wireless and vm environments. Passing data to an  
unexpected default gateway would not be good so making sure no one is  
passing themselves off as the default gateway is another step.

Frank

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users