Hi Rushikesh,
You’re right that, since XCP1.6, xapi listens on all IP addresses (0.0.0.0). We made this change to simplify the HTTP server in xapi. Making it independent
of a particular IP address meant that we no longer need to restart the HTTP server when the management IP is configured or changes, which is something that got a lot more complex when we added experimental IPv6 support last year.
It is still the case that only the interface that is designated to be the management interface is used for management traffic inside a pool.
Xapi now does the same thing as other common services, such as sshd, which also listen on all IP addresses. If you want to further restrict access, I think
it is best to use iptables rules to block traffic to ports 80 and 443 on the non-management IPs. Also note that people need to authenticate with xapi before they can do anything.
Could you describe your security issue in a bit more detail? What is your reason for having multiple IP addresses on dom0? Is there anything/anyone on those
networks that cannot be trusted?
Cheers,
Rob
From: Rushikesh Jadhav [mailto:2rushikeshj@xxxxxxxxx]
Sent: 20 June 2013 11:56 PM
To: xen-api@xxxxxxxxxxxxx
Cc: Rob Hoes
Subject: CP-3477: Make xapi listen on all dom0 IP addresses
Hi All & Rob,
I think there is a security issue where XAPI is exposed on all available interfaces as well as all IPs of dom0. Currently XCP1.6 xapi listens on all IPs. Default 0.0.0.0
XCP1.1 used the correct interface and IP.
What alternative one has if he wants to make XAPI listen only on management network since management network is created for such purpose.
For now, I have patched the xapissl from init.d to make it listen only on MANAGEMENT_INTERFACE ip.
