[uml-devel] uml_net and IP protection

[Erik W. <om...@te...>]

I've been working on a number of patches to make sure that different UMLs
on the same machine cannot stomp each other network-wise.  Specifically,
one UML could change its IP address to something already taken by another
UML, and they both lose networking.

The first patch was to the UML kernel and uml_net to do something with the
MAC address passed as say eth0=tuntap,,00:ff:0a:01:02:fa,10.1.2.3 so that
the MAC on the tap interface on the host is set to the given address.

The next patch is a 'privmac' iptables match that checks to make sure that
all packets with a private MAC prefix (settable, usually 00:ff) on their
source have a corresponding source IP address.

The final piece of this puzzle has to do with ARPing.  One UML can still
DoS another just by setting its IP, because uml_net will add an arp entry
for the bogus IP and thus stomp the real owner.  This has to be solved by
adding some king of logic to uml_net that will check for that case and
refuse to execute.

The question I have is this: there are two possible ways to go about it.
The first is to add an option that uses the privmac idea and verifies the
IP against the MAC (which is *not* settable from within the UML) and
refuse to work (in some fashion) if they don't match.  The second would be
to check for an existing ARP entry of that IP and refuse to create a
second one.

The former is preferred, because if the bogus UML comes up first and
'steals' the IP address, while they may not be able to *use* that address,
they can certainly hold the ARP from the real owner of that IP.

So, does anyone have any suggestions as to how I should proceed?  I'll
probably start by implementing an always-on form of the privmac == IP
rule, so it can be made optional later.

      Erik Walthinsen <om...@te...> - System Administrator
        __
       /  \                GStreamer - The only way to stream!
      |    | M E G A        ***** http://gstreamer.net/ *****
      _\  /_