• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

How to prevent nd spoofing by xen domU guests?

Started by tdwebste, April 18, 2012, 11:26:11 AM

Previous topic - Next topic

tdwebste


In this configuration untrusted guests are given full root access to their xen domU

I currently have arptable and ebtable rules in the dom0 to make arp spoofing from a domU a little more difficult.
domU# ifconfig
eth0      Link encap:Ethernet  HWaddr 01:02:03:04:05:06
             inet addr:123.123.123.123  .......................

dom0# arptables -L
-j ACCEPT -s nlnog.nmsrv.com --src-mac  01:02:03:04:05:06 --opcode Reply
-j ACCEPT -s nlnog.nmsrv.com --src-mac  01:02:03:04:05:06 --opcode Request

dom0# ebtables -L
-p IPv4 -o vif5.0 --ip-dst 123.123.123.123 -j ACCEPT
-p IPv4 -i vif5.0 --ip-src 123.123.123.123 -j ACCEPT
-p IPv4 -o vif5.0 -j DROP
-p IPv4 -i vif5.0 -j DROP

I am looking for recommendations how to protect against domU nd spoofing.