<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Dear, <br>
<br>
I have test more times and an other guest can robb the IP of the
other running container!<br>
Is that a bug?<br>
<br>
This can been an absolute horrible situation, expl. one client use
the server (container)<br>
to install a nameserver on it. The other customer on other container
can change the IP to<br>
the IP of the other container and can create a new nameserver and
now he can manipulate<br>
all nameserver-entries of the other!<br>
<br>
How possible to create security of this? Their is nothing written in
the wiki or other <br>
documentation!<br>
<br>
<div class="moz-cite-prefix">Am 20.01.2016 um 01:54 schrieb Detlef
Bracker:<br>
</div>
<blockquote cite="mid:569EDAAE.4090307@1awww.com" type="cite">
<pre wrap="">Dear,
In moment I test on proxmox 3.4 the bridging via ovh vrack 1.5!
The old way I used before
RIPE-RIRs container 100 (via venet)
RIPE-RIRS -----> eth0 ---> venet ---> container 101 (via venet)
RIPE-RIES I container 102 (via venet)
I
I---> vmbr0 ---> vm 700 (via OVH-MAC = IP)
vm 701 (via OVH-MAC = IP)
The new way I prefared, but I see big security problems:
RIPE-RIRs container 100 (via venet)
RIPE-RIRS -----> eth0 ---> venet ---> container 101 (via venet)
RIPE-RIES I container 102 (via venet)
I
I---> vmbr0 ---> vm 700 (via OVH-MAC = IP)
vm 701 (via OVH-MAC = IP)
RIPE-RIRs container 100 (via
unsecure MAC veth)
RIPE-RIRS -----> vrack -> eth1 ---> vmbr2 ---> container 101 (via
unsecure MAC veth)
RIPE-RIES container 102 (via
unsecure MAC veth)
In the new way the MAC for the vrack is equal, but must been unique!
In a container the customer can change the IP and can take the IP from
the naighbor!
In 1st the IP was used from 100 and 101 manipulate the interface
settings and use the IP
from 100. The 100 cant ping anymore and the robber on 101 can ping with
the IP from 100
and can grab all traffic from the other customer! A horrible situation!
In the old way, without vrack, the MACs was declared special 1:1 to IP
in the OVH-
system. In vrack this is equal! Ok, possible use the proxmox firewall,
block for all
containers on veth the hole traffic and allow only the traffic for the
IPs, I have reserved
for the container/veth interface!
Is this secure enough? How its handle Proxmox 4.x? I have see, their is
possible to set
the IPs direct in the GUI for the interfaces, how is that with the
security in 4.x!
How is a way, that I can ask from the host what IPs the veth-interfaces
use actual?
"vzctl exec ifconfig", but then I have same question, how request the
questions to
virtual machines?!
Equal for scripts to control diferent things!
arp -an on host brings on all interfaces nothing!
Regards
Detlef
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
pve-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:pve-devel@pve.proxmox.com">pve-devel@pve.proxmox.com</a>
<a class="moz-txt-link-freetext" href="http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel">http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<p>ACHTUNG: Ihr Anfragetext befindet sich unter unserem Absender!<br>
P.S. <a
href="http://blog.1awww.com/2012/05/30/achtung-internet-seiten-betreiber-eprivacy-richtlinien-umzusetzen/">ePrivacy
in Europa - lesen Sie mehr - read more</a> <br>
<br>
Mit freundlichen Gruessen<br>
1awww.com - Internet-Service-Provider<br>
<br>
Detlef Bracker<br>
<img src="cid:part2.06010206.05090008@1awww.com" border="0">
Camino Velilla 1, E 18690 Almunecar, Tel.: +34.6 343 232 61 *
EU-VAT-ID: ESX4516542D<br>
<br>
<span style="color: #3366ff; font-size: xx-small;">This email
and any files transmitted are confidential and intended only
or the person(s) directly addressed. If you are not the
intended recipient, any use, copying, transmission,
distribution, or other forms of dissemination is strictly
prohibited. If you have received this email in error, please
notify the sender immediately and permanently delete this
email with any files that may be attached. <br>
<br>
Este correo electrónico y, en su caso, cualquier fichero anexo
al mismo, contiene información de carácter confidencial
exclusivamente dirigida a su destinatario o destinatarios.
Queda prohibida su divulgación, copia o distribución a
terceros sin la previa autorización escrita de Detlef Bracker.
En caso de no ser usted la persona a la que fuera dirigido
este mensaje y a pesar de ello está continúa leyéndolo,
ponemos en su conocimiento que está cometiendo un acto ilícito
en virtud de la legislación vigente en la actualidad, por lo
que deberá dejarlo de leer automáticamente.<br>
<br>
Detlef Bracker no es responsable de su integridad, exactitud,
o de lo que acontezca cuando el correo electrónico circula por
las infraestructuras de comunicaciones electrónicas públicas.
En el caso de haber recibido este correo electrónico por
error, se ruega notificar inmediatamente esta circunstancia
mediante reenvío a la dirección electrónica del remitente.<br>
<br>
El correo electrónico vía Internet no permite asegurar la
confidencialidad de los mensajes que se transmiten ni su
integridad o correcta recepción, por lo que Detlef Bracker no
asume ninguna responsabilidad que pueda derivarse de este
hecho.<br>
<br>
No imprima este correo si no es necesario. Ahorrar papel
protege el medio ambiente.</span></p>
</div>
</body>
</html>