About this list Date view Thread view Subject view Author view Attachment view

From: Thomas Gelf (vserver_at_gelf.net)
Date: Sat 28 Feb 2004 - 06:06:23 GMT


Am Fre, den 27.02.2004 schrieb Herbert Poetzl um 23:58:
> well, the thing is, in that case you would need two
> tuntap devices to get the same as the UML implementation
> uses, one converting the packets to a data stream, and
> the other converting it back from data stream to packets
> (which doesn't make much sense)

?????

> and this doesn't even cover the restrictions, not
> present in UML (so you have to use iptables & co on
> the host)

uml offers iptables inside a virtual server - nice to have
but not really needed.

> hmm, I'd like to know what problems you ahve with the
> current approach, except for the fact, that it doesn't
> look nice to have eth0:XYZ instead of eth0?

simple: i can not have CAP_NET_ADMIN and if so - it doesn't
work right on a interface alias.

> I'd appreciate a list of things you are 'missing'
> together with a small comment, how to make that feature
> secure on a vserver, as example:
>
> - missing: ping doesn't work like on linux server xy
> why: ping requires CAP_NET_RAW, giving that would mean
> - vserver can generate arbitrary packets
> - vserver can fake packets from other vservers
> - vserver can generate fake arp replies
> this can be secured by:
> - checking every raw packet via some packet checker
> - filtering out malicious packets ...

I'm using vserver since 3 weeks, but I've found a solution
to give a vserver CAP_NET_RAW without security problems...
ping works, arbitrary packets are no problem, fake arbitrary
packets from other servers: doesn't SEEM to work, I'm sure
that this would not work if I could use tun/tap the way I'd
like to. fake arp: also seems that wouldn't work, I'm
sure this will be absolutely no problem with kernel v2.6
and ebtables - there is no special packet checker needed.

> hmm, could you do some security tests regarding the
> network tricks possible with FreeVPS, I would be very
> interested, what they allow and what not ...

no, I'm not interested in freevps, I'll not use a redhat
kernel - and I didn't want you to copy the freevps net-
working solution. but I WOULD LIKE a solution that offers
the possibilities that freevps offers. and I described
ONE POSSIBLE WAY to do that. I'd also agree with another
solution doing the same thing, but I do not agree with
some "interface aliasing / ip number limiting strange nobody
knows about" thing.

> yeah, we should talk about that on irc, I'm very
> interested in your findings and your approaches and
> ofcourse your ideas, maybe together we can find that
> better solution, which is still missing ...

ok, cu there - when?

> well, real servers have separate network cards, and
> switches guarding between them, but yes, all that is
> possible in software too (see example above)

yeah, all this is implemented in the default linux kernel
(bridge & tun/tap) - so why don't use that?

> > all the nice things like traffic shaping can easily be done,
> > no alias interfaces are needed - but you could create them
> > inside the vserver if you like...
>
> agreed

> > have a nice evening!
> you too!

after one of my best friends birthday party at 7'clock in the
morning... - I can say it was a very funny evening - have a good
night :o)

-- 
Thomas Gelf <vserver_at_gelf.net>

_______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Sat 28 Feb 2004 - 06:12:12 GMT by hypermail 2.1.3