On Thu, Sep 21, 2006 at 10:50:11AM -0700, Sanjam Garg wrote:
> thanks a lot.
>
> Your assumption on bridging was correct...but the fact
is that i
> cant use sniffing to make a guess as my system has
constraints laid
> down by the intentions of the user who may use some
packet source
> IP spoofing to mislead dom0.if thats all that can be
done then i
> would need to do something more rigrous...
When using bridging the network security concerns are pretty
much exactly
the same for those of a bare metal machine - the whole point
of bridging
is that the guest is connecting directly to the LAN as any
physical machine
would.
Thus if you don't trust the admin of the DomU then don't
let them connect straight
to the network. For example, you can switch Xen to an
alternative networking
config where DomU's have to be forwarded & NAT'd using
IPTables to get LAN
access. If you really want to use bridging I guess you
could try filtering
out any traffic from the DomU's particular vif which has an
unexpected
source IP address, but really best bet is to go for NAT
& remove their
direct access
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1
978 392 2496 -=|
|=- Perl modules: http://search.cpan.o
rg/~danberr/ -=|
|=- Projects: http://freshmeat.net/
~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF
F742 7D3B 9505 -=|
--
Fedora-xen mailing list
Fedora-xen redhat.com
ht
tps://www.redhat.com/mailman/listinfo/fedora-xen
|