Dear, I have test more times and an other guest can robb the IP of the other running container! Is that a bug?
This can been an absolute horrible situation, expl. one client use the server (container) to install a nameserver on it. The other customer on other container can change the IP to the IP of the other container and can create a new nameserver and now he can manipulate all nameserver-entries of the other! How possible to create security of this? Their is nothing written in the wiki or other documentation! Am 20.01.2016 um 01:54 schrieb Detlef Bracker: > Dear, > > In moment I test on proxmox 3.4 the bridging via ovh vrack 1.5! > > The old way I used before > > RIPE-RIRs container 100 (via venet) > > RIPE-RIRS -----> eth0 ---> venet ---> container 101 (via venet) > RIPE-RIES I container 102 (via venet) > I > I---> vmbr0 ---> vm 700 (via OVH-MAC = IP) > vm 701 (via OVH-MAC = IP) > > The new way I prefared, but I see big security problems: > > > RIPE-RIRs container 100 (via venet) > > RIPE-RIRS -----> eth0 ---> venet ---> container 101 (via venet) > RIPE-RIES I container 102 (via venet) > I > I---> vmbr0 ---> vm 700 (via OVH-MAC = IP) > vm 701 (via OVH-MAC = IP) > > RIPE-RIRs container 100 (via > unsecure MAC veth) > RIPE-RIRS -----> vrack -> eth1 ---> vmbr2 ---> container 101 (via > unsecure MAC veth) > RIPE-RIES container 102 (via > unsecure MAC veth) > > > In the new way the MAC for the vrack is equal, but must been unique! > In a container the customer can change the IP and can take the IP from > the naighbor! > In 1st the IP was used from 100 and 101 manipulate the interface > settings and use the IP > from 100. The 100 cant ping anymore and the robber on 101 can ping with > the IP from 100 > and can grab all traffic from the other customer! A horrible situation! > > In the old way, without vrack, the MACs was declared special 1:1 to IP > in the OVH- > system. In vrack this is equal! Ok, possible use the proxmox firewall, > block for all > containers on veth the hole traffic and allow only the traffic for the > IPs, I have reserved > for the container/veth interface! > > Is this secure enough? How its handle Proxmox 4.x? I have see, their is > possible to set > the IPs direct in the GUI for the interfaces, how is that with the > security in 4.x! > > How is a way, that I can ask from the host what IPs the veth-interfaces > use actual? > "vzctl exec ifconfig", but then I have same question, how request the > questions to > virtual machines?! > > Equal for scripts to control diferent things! > arp -an on host brings on all interfaces nothing! > > Regards > > Detlef > > > > > > > > > > > > _______________________________________________ > pve-devel mailing list > pve-devel@pve.proxmox.com > http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel -- ACHTUNG: Ihr Anfragetext befindet sich unter unserem Absender! P.S. ePrivacy in Europa - lesen Sie mehr - read more <http://blog.1awww.com/2012/05/30/achtung-internet-seiten-betreiber-eprivacy-richtlinien-umzusetzen/> Mit freundlichen Gruessen 1awww.com - Internet-Service-Provider Detlef Bracker Camino Velilla 1, E 18690 Almunecar, Tel.: +34.6 343 232 61 * EU-VAT-ID: ESX4516542D This email and any files transmitted are confidential and intended only or the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene información de carácter confidencial exclusivamente dirigida a su destinatario o destinatarios. Queda prohibida su divulgación, copia o distribución a terceros sin la previa autorización escrita de Detlef Bracker. En caso de no ser usted la persona a la que fuera dirigido este mensaje y a pesar de ello está continúa leyéndolo, ponemos en su conocimiento que está cometiendo un acto ilícito en virtud de la legislación vigente en la actualidad, por lo que deberá dejarlo de leer automáticamente. Detlef Bracker no es responsable de su integridad, exactitud, o de lo que acontezca cuando el correo electrónico circula por las infraestructuras de comunicaciones electrónicas públicas. En el caso de haber recibido este correo electrónico por error, se ruega notificar inmediatamente esta circunstancia mediante reenvío a la dirección electrónica del remitente. El correo electrónico vía Internet no permite asegurar la confidencialidad de los mensajes que se transmiten ni su integridad o correcta recepción, por lo que Detlef Bracker no asume ninguna responsabilidad que pueda derivarse de este hecho. No imprima este correo si no es necesario. Ahorrar papel protege el medio ambiente.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
