Xen project Mailing List

Re: [Xen-users] Dom-U config: whats the role of vif - IP

To: Christoph Purrucker <cp+ml-xen@xxxxxxxx>

From: Tim Post <tim.post@xxxxxxxxxxxxxxx>

Date: Mon, 25 Sep 2006 00:52:55 +0800

Delivery-date: Sun, 24 Sep 2006 09:53:47 -0700

List-id: Xen user discussion <xen-users.lists.xensource.com>

This is really a big issue for people such as web hosting providers who will be giving 'untrusted' root access to dom-u's to the general public. VPS servers are a very popular choice for those who purchase hosting services with less than honorable intentions. Since many do setup their networks for ease of administration (meaning, whatever dom-u broadcasts an IP on a subnet that knows about it, owns it) this allows one dom-u to 'hijack' the IP of another and use it for abusive activity, intercept traffic, etc. If you have only 'trusted' root users on your dom-u's and don't run insecure public services from them, its pretty safe to just leave things easy and do your networking at the dom-u end. Depending on the quality of the network feeding your bridges (if using them), you may find it handy to specify a mac address in both the xen configuration and dom-u network init scripts. So there really isn't a right or wrong answer.. other than be sure allowing dom-u's to bring up their own IP's fits your security model :) HTH, -Tim On Fri, 2006-09-22 at 11:52 +0200, Christoph Purrucker wrote: > Hello, > > in the example configuration-files I always read, that I've to add an > IP-Adress if I don't have a DHCPd running. I'm running in bridge-mode. For > example: > > vif = ['ip=192.168.5.99'] > > But I don't want to configure the IP-Adress in an config-file on Dom-0; > the Admin of the Dom-U should do that with Dom-U's ifconfig (or Debian's > /etc/network/interfaces). I started several Dom-Us with > > vif = [''] > > and it seems, that they run quite fine with a locally configured > interface. And further on, if I change the above vif = ['ip=192.168.5.99'] > to any other IP, the Dom-U ist still reachable under its locally > configured IP (and not under the new one in der config-file) after > rebooting the Dom-U. > > So what's the sense of the above parameter? > > cu cp > > > _______________________________________________ > Xen-users mailing list > Xen-users@xxxxxxxxxxxxxxxxxxx > http://lists.xensource.com/xen-users > > _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.