[libvirt] [PATCH] Add V6LOCAL parameter to nwfilter rules.

Daniel P. Berrange berrange at redhat.com
Fri Apr 4 14:14:41 UTC 2014 

On Fri, Apr 04, 2014 at 10:08:26AM -0400, Brian Rak wrote:
> On 4/4/2014 4:48 AM, Daniel P. Berrange wrote:
> >On Wed, Apr 02, 2014 at 03:40:14PM -0400, Brian Rak wrote:
> >>@@ -163,6 +164,28 @@ virNWFilterVarHashmapAddStdValues(virNWFilterHashTablePtr table,
> >>                             "%s", _("Could not add variable 'MAC' to hashmap"));
> >>              return -1;
> >>          }
> >>+
> >>+        virMacAddr parsedMac;
> >>+        if (virMacAddrParse(macaddr, &parsedMac) == 0)
> >>+        {
> >>+            parsedMac.addr[0] ^= 2;
> >>+
> >>+            char euiMacAddr[26];
> >>+            snprintf(euiMacAddr, sizeof(euiMacAddr), "fe80::%x%x:%xff:fe%x:%x%x", parsedMac.addr[0], parsedMac.addr[1], parsedMac.addr[2],
> >>+                parsedMac.addr[3], parsedMac.addr[4], parsedMac.addr[5]);
> >Unfortunately this IPv6 addressing scheme isn't portable. Windows Vista
> >will create link local addresses which are completely random, not based
> >on the MAC address.
> >
> >   http://technet.microsoft.com/en-us/magazine/2007.08.cableguy.aspx
> >
> >I wonder if there's a way todo something more clever for IPv6 to learn
> >the addresses, we as do for IPv4 address learning, or snoop route
> >advertisment traffic as we do for DHCP
> >
>
> Vista can be configured to use the EUI64 format though (as per that
> link).  I don't think that we can really trust that the guest is not
> malicious, so I'm not sure that trying to learn the link-local IPv6
> address would be secure.
>
> I'm not sure if there's other security issues or not, but a
> malicious guest using another guest's link local address would
> definitely cause some problems.

NB you have to decide what the threat scenario is. The learning code is
obviously vulnerable if your threat is a guest that is malicious from
the time it is first booted & we weren't attempting to address that
scenario though. The learning code is intended to protect against the
more limited scenario where your guest is initially trusted, but gets
compromised while running. This is good enough for an out of the box
config.

If you care about stronger security then you only want to rely on learning
from a trusted DHCP server response, or use a hardcoded IP address variable
in the guest XML config. These cease to be zero-config though since the
host admin must set the IP addr of the trusted DHCP server, or set the
guest IP addr(s).

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list