[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-API] CP-3477: Make xapi listen on all dom0 IP addresses






On Fri, Jun 21, 2013 at 4:05 PM, Rob Hoes <Rob.Hoes@xxxxxxxxxx> wrote:

Hi Rushikesh,

 

Thanks for replying. 

 

You’re right that, since XCP1.6, xapi listens on all IP addresses (0.0.0.0). We made this change to simplify the HTTP server in xapi. Making it independent of a particular IP address meant that we no longer need to restart the HTTP server when the management IP is configured or changes, which is something that got a lot more complex when we added experimental IPv6 support last year.

 

I've explained the threat below but before that I see 0.0.0.0 as a good sign for VM live migration.
xe vm-migrate is forced to use management network only for live migration but now since XAPI works on 0.0.0.0 can we have network as a parameter to it so that we could decide on fastest available way ? VM RAM is getting bigger day by day :)

It is still the case that only the interface that is designated to be the management interface is used for management traffic inside a pool.

 

Xapi now does the same thing as other common services, such as sshd, which also listen on all IP addresses. If you want to further restrict access, I think it is best to use iptables rules to block traffic to ports 80 and 443 on the non-management IPs. Also note that people need to authenticate with xapi before they can do anything.

Could you describe your security issue in a bit more detail? What is your reason for having multiple IP addresses on dom0? Is there anything/anyone on those networks that cannot be trusted?


On many of our hosts, we need to use routed network for the guests. These guests have their gateway as host which is exposed to internet. 
Since adding a routed gateway is done by the admins on the fly (which sometimes require alteration to iptables ), it is a threat to rely on iptables to be always correct and intact for management.
 
Our management tools talk to XAPI on 80 (rrd) & 443(mgmt) which I felt safe as no guest could sniff it even if being in promiscuous mode. Guest carry internet traffic as well as DOS attack which cant be trusted.
May be you can shed some light on it.

 

Cheers,

Rob

 

From: Rushikesh Jadhav [mailto:2rushikeshj@xxxxxxxxx]
Sent: 20 June 2013 11:56 PM
To: xen-api@xxxxxxxxxxxxx
Cc: Rob Hoes
Subject: CP-3477: Make xapi listen on all dom0 IP addresses

 

Hi All & Rob,

 

I think there is a security issue where XAPI is exposed on all available interfaces as well as all IPs of dom0. Currently XCP1.6 xapi listens on all IPs. Default 0.0.0.0

 

XCP1.1 used the correct interface and IP.

 

What alternative one has if he wants to make XAPI listen only on management network since management network is created for such purpose.

 

For now, I have patched the xapissl from init.d to make it listen only on MANAGEMENT_INTERFACE ip.

 

Thanks.


_______________________________________________
Xen-api mailing list
Xen-api@xxxxxxxxxxxxx
http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.