[pve-devel] VETH and manipulation of ip in container (big risk possible)

Detlef Bracker bracker at 1awww.com
Wed Jan 20 01:54:06 CET 2016 

Dear,

In moment I test on proxmox 3.4 the bridging via ovh vrack 1.5!

The old way I used before

RIPE-RIRs                              container 100 (via venet)
           
RIPE-RIRS  -----> eth0 ---> venet ---> container 101 (via venet)
RIPE-RIES             I                container 102 (via venet)
                      I
                      I---> vmbr0 ---> vm 700 (via OVH-MAC = IP)
                                       vm 701 (via OVH-MAC = IP)

The new way I prefared, but I see big security problems:
                                                                 

RIPE-RIRs                              container 100 (via venet)
           
RIPE-RIRS  -----> eth0 ---> venet ---> container 101 (via venet)
RIPE-RIES             I                container 102 (via venet)
                      I
                      I---> vmbr0 ---> vm 700 (via OVH-MAC = IP)
                                       vm 701 (via OVH-MAC = IP)

RIPE-RIRs                                       container 100 (via
unsecure MAC veth)            
RIPE-RIRS  -----> vrack -> eth1 ---> vmbr2 ---> container 101 (via
unsecure MAC veth)
RIPE-RIES                                       container 102 (via
unsecure MAC veth)


In the new way the MAC for the vrack is equal, but must been unique!
In a container the customer can change the IP and can take the IP from
the naighbor!
In 1st the IP was used from 100 and 101 manipulate the interface
settings and use the IP
from 100. The 100 cant ping anymore and the robber on 101 can ping with
the IP from 100
and can grab all traffic from the other customer! A horrible situation!

In the old way, without vrack, the MACs was declared special 1:1 to IP
in the OVH-
system. In vrack this is equal! Ok, possible use the proxmox firewall,
block for all
containers on veth the hole traffic and allow only the traffic for the
IPs, I have reserved
for the container/veth interface!

Is this secure enough? How its handle Proxmox 4.x? I have see, their is
possible to set
the IPs direct in the GUI for the interfaces, how is that with the
security in 4.x!

How is a way, that I can ask from the host what IPs the veth-interfaces
use actual?
"vzctl exec ifconfig", but then I have same question, how request the
questions to
virtual machines?!

Equal for scripts to control diferent things!
arp -an on host brings on all interfaces nothing!

Regards

Detlef




                      
                    



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20160120/6a439e60/attachment.sig>

More information about the pve-devel mailing list