Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: How to prevent nd spoofing by xen domU guests?  (Read 4074 times)

tdwebste

  • Newbie
  • *
  • Posts: 1
How to prevent nd spoofing by xen domU guests?
« on: April 18, 2012, 11:26:11 AM »


In this configuration untrusted guests are given full root access to their xen domU

I currently have arptable and ebtable rules in the dom0 to make arp spoofing from a domU a little more difficult.
domU# ifconfig
eth0      Link encap:Ethernet  HWaddr 01:02:03:04:05:06
             inet addr:123.123.123.123  .......................

dom0# arptables -L
-j ACCEPT -s nlnog.nmsrv.com --src-mac  01:02:03:04:05:06 --opcode Reply
-j ACCEPT -s nlnog.nmsrv.com --src-mac  01:02:03:04:05:06 --opcode Request

dom0# ebtables -L
-p IPv4 -o vif5.0 --ip-dst 123.123.123.123 -j ACCEPT
-p IPv4 -i vif5.0 --ip-src 123.123.123.123 -j ACCEPT
-p IPv4 -o vif5.0 -j DROP
-p IPv4 -i vif5.0 -j DROP

I am looking for recommendations how to protect against domU nd spoofing.

Logged