From: Cory Von Wallenstein <cvonwallenstein@dyn-inc.com>
To: xen-devel@lists.xensource.com
Cc: Stephen Spector <stephen.spector@citrix.com>
Subject: Successful IPv6 Xen Deployment; Protection Against IPv4 ARP Poisoning Attacks
Date: Tue, 23 Sep 2008 16:06:54 -0400 (EDT) [thread overview]
Message-ID: <5378691.34641222200414944.JavaMail.root@mail.corp.dyndns.com> (raw)
Hi folks,
Stephen Spector suggested these questions may be best answered by the dev email list.
My team and I have been working diligently since early this year working on automation and deployment of Xen for a new VPS service at DynDNS. Along the way, we decided to have IPv6 as one of our features, and had to make a handful of changes to the Xen network scripts to successfully and safely do so in a VPS environment.
While our priorities have first and foremost getting our Spring Server VPS service out the door (which as of a few weeks ago, it is!), now I'd like to see if the community could benefit from this work.
a) Have people already solved and dealt with IPv6 in Xen successfully (i.e., is it a non-issue at this point)? If not, I'd be happy to submit the changes and a guide to making it work and work well.
Along the way, we also ran into some issues where domUs were able to:
1) "steal" IP addresses through IP aliasing (e.g., domU has 1.2.3.4, and domU root does "ifconfig eth0:0 1.2.3.5/32" in Linux, and now has two working IPs),
2) and more importantly, were able to impact the network connectivity of another domU by aliasing or assigning its in-use IP address,
3) and MOST importantly, were able to impact the network connectivity for all domUs on a subnet by aliasing a gateway IP address (e.g., in Linux "ifconfig 1.2.3.1" for a typical /24 subnet).
4) Also, sending out invalid or poisoned ARP packets from one domU were able to introduce network connectivity problems for other domUs.
We were able to make a handful of changes to the Xen scripts to resolve these issues as well for safe and secure operation (especially for a VPS environment, where individual owners of domUs are likely unrelated to each other).
b) As above, have folks already addressed these issues for stealing IPs/ARP poisoning? Have they just not encountered them yet? Would it be useful to submit these modifications for review by the community?
We're more than happy to help, just don't want to duplicate work or step on anyone's toes for work they already have in progress.
Best regards,
Cory von Wallenstein
Spring Server Engineer
Dynamic Network Services
http://www.dyndns.com
next reply other threads:[~2008-09-23 20:06 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-23 20:06 Cory Von Wallenstein [this message]
2008-09-23 20:16 ` Successful IPv6 Xen Deployment; Protection Against IPv4 ARP Poisoning Attacks Stefan de Konink
2008-09-27 12:19 ` Teck Choon Giam
2008-09-27 1:58 ` Luke S Crawford
[not found] <20899595.77691223582898304.JavaMail.root@mail.corp.dyndns.com>
2008-10-09 20:09 ` Cory Von Wallenstein
2008-10-10 18:19 ` Teck Choon Giam
2008-10-11 11:04 ` Teck Choon Giam
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5378691.34641222200414944.JavaMail.root@mail.corp.dyndns.com \
--to=cvonwallenstein@dyn-inc.com \
--cc=stephen.spector@citrix.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.