XenServer Host Networking Protections

Background

In a multi-tenant cloud environment a host machine needs to be able to enforce network isolation amongst guest instances, at both layer two and layer three. The rules prevent guests from taking and using unauthorized IP addresses, sniffing other guests traffic, and prevent ARP poisoning attacks. IPv6 attacks will need to be factored in as well.

Assumptions

• Citrix XenServer 5.6 fp1 (Cowley)
• Linux bridge code (not Open vSwitch)
• IPv4 and IPv6 support ( initial IPv6 support in Linux Bridge, eventually better support in Open vSwitch )

Dependency

Antony Messerli from Rackspace has working scripts for applying iptables, ebtables, and arptables rules on the host. This blueprint relies on those scripts.

Requirements

• We need to ensure that we do not modify any pre-installed scripts that ship with XenServer.
• Host machines need a script equivalent to the current Rackspace 'host-rules' script that starts on boot and sets up networking restrictions for existing guests. Host rules enforce a deny all ruleset.
• Guest networking rules need to be created any time an instance starts, cleaned up on shutdown, and should reside as part of Hypervisor operations. Nova or Libvirt should not need to run these rules
• We need a Python script that listens for xapi events and triggers adding/removing rules for guests upon start/stop. When a Nova instance reboots its XenServer dom_id changes and the corresponding vif for the domain changes as well, thus requiring the networking protection rules be re-applied.
• These scripts will be stored in a hypervisor specific host 'extras' directory within the Nova source (in this case, xenserver).
• The scripts need to be generic so that they work in environments that don't make the same assumptions that Rackspace does. For example, we can not assume every host machine has eth0 and eth1 available. This could either be provided via a configuration flag, or dynamically detected.