Re: xen networking

[Iain Hibbert <plunky%ogmig.net@localhost>]

On Sat, 6 Jun 2020, Greg Troxel wrote:

> I was assuming that you expected the DHCP server on the same ethernet as
> dom0-wm0 to hand out an address for a new, previously unknown MAC
> address.   Obviously that is not the case, so you just are only going to
> have the one address.

Yeah. I didn't really think that through

> > Hm ok, perhaps that would be an option. I can assign whatever MAC address 
> > on the domU that I like. I don't think I can actually remove the wm0 MAC 
> > but could add something else as the active address.
> 
> This seems to me to be asking for trouble.   To me, dom0 stability is
> the most important thing, as it is how you manage everything else.  So I
> would leave the true mac on wm0 and that IP address on the dom0 and not
> even consider messing with that.

and couldn't get anything to work anyway (2 visits to rescue image :)
 
> If your real goals are:
> 
>   have each domU be able to just run dhcpcd and get a (local) address
>   and have NATed connectivity
> 
>   optimize dom0 security
> 
>   keep things not super complex, so they remain reliable

Yes thats about it, but also want to see how this stuff works

> OPTION 1
> 
>   use dom0 wm0 normally, with the single real IP address
> 
>   create bridge0 on dom0, with xvifN.0 for each domU in it, so that it is
>   as if you had another switch, and plugged all the domU computers into it
> 
>   (here's the awkward part) Put wm1 in bridge0, and assign it
>   192.168.1.1/24.  It would be nice if NetBSD had an pseudoethernet
>   interface that could have an address and be bridged, just not with a
>   physical backend.  I suppose tap(4) is basically this, assuming it
>   works if you just don't open the userspace control part.

Well I've been struggling but eventually got it working like this. I don't 
know why but it just won't operate on "wm1" (perhaps because no carrier) 
(more visits to rescue image) but then it wouldn't work on tap0 either and 
I've now got dnsmasq binding to the local address (which is on the tap) 
rather than trying to specify the interface and that is working ok.

>   run NAT on dom0 from wm1's addr to wm0, and DHCP server also
> 
>   set up firewalls as restrictively as possible

Yes, I think NAT is next but I do need to secure the domUs a bit better 
first before opening them up.

> OPTION 2
> 
>   with this scheme, a domU will be NATed twice.  The security benefit is
>   that the dnsmasq code on domU-Z is the thing that is exposed to the
>   other domUs.  So if they exploit it, they get access to domU-Z.  But
>   because you have statically configured domU-Z's IP address, there is
>   no dhcp server code on the dom0 to attack from Z.

I thought about the double NAT but don't know if too complex really though 
I did like having the isolated router.

> I don't know how safe dnsmasq is, if it does privsep, etc.   So I can't
> say if it's worth it to do option 2 instead of 1.   It is certainly more
> complicated and requires more processing.   I would lean to trying to
> run servers with privsep only, and all the various hardening things
> turned on.

dnsmasq does drop privs after starting. I was attracted because it handles 
the DNS too, meaning I can easily access internal systems by name and keep 
config in one place.

iain