[pve-devel] BUG? VETH and manipulation of ip in container (big risk possible)

Detlef Bracker bracker at 1awww.com
Thu Jan 21 19:48:40 CET 2016


Dear,

I have test more times and an other guest can robb the IP of the other
running container!
Is that a bug?

This can been an absolute horrible situation, expl. one client use the
server (container)
to install a nameserver on it. The other customer on other container can
change the IP to
the IP of the other container and can create a new nameserver and now he
can manipulate
all nameserver-entries of the other!

How possible to create security of this? Their is nothing written in the
wiki or other
documentation!

Am 20.01.2016 um 01:54 schrieb Detlef Bracker:
> Dear,
>
> In moment I test on proxmox 3.4 the bridging via ovh vrack 1.5!
>
> The old way I used before
>
> RIPE-RIRs                              container 100 (via venet)
>            
> RIPE-RIRS  -----> eth0 ---> venet ---> container 101 (via venet)
> RIPE-RIES             I                container 102 (via venet)
>                       I
>                       I---> vmbr0 ---> vm 700 (via OVH-MAC = IP)
>                                        vm 701 (via OVH-MAC = IP)
>
> The new way I prefared, but I see big security problems:
>                                                                  
>
> RIPE-RIRs                              container 100 (via venet)
>            
> RIPE-RIRS  -----> eth0 ---> venet ---> container 101 (via venet)
> RIPE-RIES             I                container 102 (via venet)
>                       I
>                       I---> vmbr0 ---> vm 700 (via OVH-MAC = IP)
>                                        vm 701 (via OVH-MAC = IP)
>
> RIPE-RIRs                                       container 100 (via
> unsecure MAC veth)            
> RIPE-RIRS  -----> vrack -> eth1 ---> vmbr2 ---> container 101 (via
> unsecure MAC veth)
> RIPE-RIES                                       container 102 (via
> unsecure MAC veth)
>
>
> In the new way the MAC for the vrack is equal, but must been unique!
> In a container the customer can change the IP and can take the IP from
> the naighbor!
> In 1st the IP was used from 100 and 101 manipulate the interface
> settings and use the IP
> from 100. The 100 cant ping anymore and the robber on 101 can ping with
> the IP from 100
> and can grab all traffic from the other customer! A horrible situation!
>
> In the old way, without vrack, the MACs was declared special 1:1 to IP
> in the OVH-
> system. In vrack this is equal! Ok, possible use the proxmox firewall,
> block for all
> containers on veth the hole traffic and allow only the traffic for the
> IPs, I have reserved
> for the container/veth interface!
>
> Is this secure enough? How its handle Proxmox 4.x? I have see, their is
> possible to set
> the IPs direct in the GUI for the interfaces, how is that with the
> security in 4.x!
>
> How is a way, that I can ask from the host what IPs the veth-interfaces
> use actual?
> "vzctl exec ifconfig", but then I have same question, how request the
> questions to
> virtual machines?!
>
> Equal for scripts to control diferent things!
> arp -an on host brings on all interfaces nothing!
>
> Regards
>
> Detlef
>
>
>
>
>                       
>                     
>
>
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

-- 

ACHTUNG: Ihr Anfragetext befindet sich unter unserem Absender!
P.S. ePrivacy in Europa - lesen Sie mehr - read more
<http://blog.1awww.com/2012/05/30/achtung-internet-seiten-betreiber-eprivacy-richtlinien-umzusetzen/>


Mit freundlichen Gruessen
1awww.com - Internet-Service-Provider

Detlef Bracker
Camino Velilla 1, E 18690 Almunecar, Tel.: +34.6 343 232 61 * EU-VAT-ID:
ESX4516542D

This email and any files transmitted are confidential and intended only
or the person(s) directly addressed. If you are not the intended
recipient, any use, copying, transmission, distribution, or other forms
of dissemination is strictly prohibited. If you have received this email
in error, please notify the sender immediately and permanently delete
this email with any files that may be attached.

Este correo electrónico y, en su caso, cualquier fichero anexo al mismo,
contiene información de carácter confidencial exclusivamente dirigida a
su destinatario o destinatarios. Queda prohibida su divulgación, copia o
distribución a terceros sin la previa autorización escrita de Detlef
Bracker. En caso de no ser usted la persona a la que fuera dirigido este
mensaje y a pesar de ello está continúa leyéndolo, ponemos en su
conocimiento que está cometiendo un acto ilícito en virtud de la
legislación vigente en la actualidad, por lo que deberá dejarlo de leer
automáticamente.

Detlef Bracker no es responsable de su integridad, exactitud, o de lo
que acontezca cuando el correo electrónico circula por las
infraestructuras de comunicaciones electrónicas públicas. En el caso de
haber recibido este correo electrónico por error, se ruega notificar
inmediatamente esta circunstancia mediante reenvío a la dirección
electrónica del remitente.

El correo electrónico vía Internet no permite asegurar la
confidencialidad de los mensajes que se transmiten ni su integridad o
correcta recepción, por lo que Detlef Bracker no asume ninguna
responsabilidad que pueda derivarse de este hecho.

No imprima este correo si no es necesario. Ahorrar papel protege el
medio ambiente.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20160121/337c41df/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1awww_abs_logo.gif
Type: image/gif
Size: 1457 bytes
Desc: not available
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20160121/337c41df/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20160121/337c41df/attachment.sig>


More information about the pve-devel mailing list