[Pkg-xen-devel] Bug#715333: IPv6 security risks with XCP dom0
Daniel Pocock
daniel at pocock.com.au
Mon Jul 8 08:33:16 UTC 2013
Package: xcp-xapi
Version: 1.3.2-14
Severity: important
I understand that XCP version 1.3 doesn't support IPv6
This blog talks about enabling it in v1.6:
http://jeffloughridge.wordpress.com/2013/06/16/ipv6-in-xcp-1-6/
However, one observation that I have made is that the dom0 host, in a
default wheezy installation, has kernel IPv6 enabled and appears to have
a link-local address on every interface for every domU.
This means that the dom0 has IP connectivity to every domU, even if some
of the domUs are configured behind a virtual firewall and not explicitly
bridged to the dom0
A workaround would simply be explicitly disabling IPv6 in dom0 (e.g.
removing the kernel module) as it is not supported by the dom0 tools on
wheezy anyway.
However, it may be prudent for the network setup scripts to explicitly
ensure that the dom0 doesn't have link-local addresses on the virtual
bridges unless the dom0 except in those cases where the dom0 is meant to
participate in a particular bridge.
More information about the Pkg-xen-devel
mailing list