How to prevent nd spoofing by xen domU guests?

tdwebste · April 18, 2012, 11:26:11 AM

In this configuration untrusted guests are given full root access to their xen domU

I currently have arptable and ebtable rules in the dom0 to make arp spoofing from a domU a little more difficult.
domU# ifconfig
eth0 Link encap:Ethernet HWaddr 01:02:03:04:05:06
inet addr:123.123.123.123 .......................

dom0# arptables -L
-j ACCEPT -s nlnog.nmsrv.com --src-mac 01:02:03:04:05:06 --opcode Reply
-j ACCEPT -s nlnog.nmsrv.com --src-mac 01:02:03:04:05:06 --opcode Request

dom0# ebtables -L
-p IPv4 -o vif5.0 --ip-dst 123.123.123.123 -j ACCEPT
-p IPv4 -i vif5.0 --ip-src 123.123.123.123 -j ACCEPT
-p IPv4 -o vif5.0 -j DROP
-p IPv4 -i vif5.0 -j DROP

I am looking for recommendations how to protect against domU nd spoofing.

News:

How to prevent nd spoofing by xen domU guests?

tdwebste