Basic networking issue

[Mārtiņš Jakubovičs <ma...@vertigs.lv>]

Hello,

I test right now infrastructure with base network setup. I faced issue, 
if I deploy instance, I am able manually add more public IP's. For 
example, I deploy VM, though DHCP I acquire IP, and I can manually add 
alias IP addresses without problems and CloudStack still think that I 
use only one IP. If IP address is acquired and other user boot VM can be 
situation when new VM can't get public IP. Am I doing something wrong or 
is this kind of security "hole" in Basic Networking?

Thanks.

Re: Basic networking issue

[Mārtiņš Jakubovičs <ma...@vertigs.lv>]

Hello,

Main issue is when any user in basic networking zone can use any IP from 
zone's subnet, without any isolation and CS wouldn't know that.

On 2015.07.08. 10:09, Sanjeev N wrote:
> If you want CS not to allocate these IPs to any other vm, you can mark
> Allocated field in user_ip_address table for all the IPs you want to assign
> to guest vms manually.
>
> On Mon, Jul 6, 2015 at 12:17 PM, Mārtiņš Jakubovičs <ma...@vertigs.lv>
> wrote:
>
>> Hello,
>>
>> In Basic Networking IP address acquisition is not a manual process but CS
>> it self give IP's for instances. Problems is that if you configure IP
>> address pool in zone, user can add all this IP addresses to one instance
>> without informing CS.
>>
>> Example:
>> IP address pool (10.11.11.1 - 10.11.11.10)
>> 1.) Create instance. (CS will give to instance IP 10.11.11.2)
>> 2.) In instance manually add IP's (create alias) from same subnet
>> (10.11.11.3, 10.11.11.4, *without* adding secondary IP's in CS).
>> 3.) In CloudStack you can see that instance use only one IP (10.11.11.2),
>> but in reality it use whole IP pool.
>> 4.) Deploy other instance, to which CS will give IP, which you manually
>> added before to instance nr. 1 (for example, 10.11.11.3).
>>
>> Instance nr. 1:
>> In CS use only one public IP (10.11.11.2), but in reality have configured
>> 10 IP's.
>>
>> Instance nr. 2:
>> In CS have one IP (10.11.11.3), but network didn't work, because Instance
>> Nr. 1 have IP which should be added to instance Nr. 2 and CS didn't know
>> about that.
>>
>>
>> On 2015.07.06. 07:45, Sanjeev N wrote:
>>
>>> What do you mean by IP address is acquired? In Basic Networking we don't
>>> have IP address acquisition concept. Also alias IPs you are manually
>>> configuring on deployed vms should not be overlapped with the Guest IP
>>> address range provided in that zone.
>>>
>>> On Fri, Jul 3, 2015 at 7:51 PM, Mārtiņš Jakubovičs <ma...@vertigs.lv>
>>> wrote:
>>>
>>>   Hello,
>>>> I test right now infrastructure with base network setup. I faced issue,
>>>> if
>>>> I deploy instance, I am able manually add more public IP's. For example,
>>>> I
>>>> deploy VM, though DHCP I acquire IP, and I can manually add alias IP
>>>> addresses without problems and CloudStack still think that I use only one
>>>> IP. If IP address is acquired and other user boot VM can be situation
>>>> when
>>>> new VM can't get public IP. Am I doing something wrong or is this kind of
>>>> security "hole" in Basic Networking?
>>>>
>>>> Thanks.
>>>>
>>>>

Re: Basic networking issue

[Sanjeev N <sa...@apache.org>]

If you want CS not to allocate these IPs to any other vm, you can mark
Allocated field in user_ip_address table for all the IPs you want to assign
to guest vms manually.

On Mon, Jul 6, 2015 at 12:17 PM, Mārtiņš Jakubovičs <ma...@vertigs.lv>
wrote:

> Hello,
>
> In Basic Networking IP address acquisition is not a manual process but CS
> it self give IP's for instances. Problems is that if you configure IP
> address pool in zone, user can add all this IP addresses to one instance
> without informing CS.
>
> Example:
> IP address pool (10.11.11.1 - 10.11.11.10)
> 1.) Create instance. (CS will give to instance IP 10.11.11.2)
> 2.) In instance manually add IP's (create alias) from same subnet
> (10.11.11.3, 10.11.11.4, *without* adding secondary IP's in CS).
> 3.) In CloudStack you can see that instance use only one IP (10.11.11.2),
> but in reality it use whole IP pool.
> 4.) Deploy other instance, to which CS will give IP, which you manually
> added before to instance nr. 1 (for example, 10.11.11.3).
>
> Instance nr. 1:
> In CS use only one public IP (10.11.11.2), but in reality have configured
> 10 IP's.
>
> Instance nr. 2:
> In CS have one IP (10.11.11.3), but network didn't work, because Instance
> Nr. 1 have IP which should be added to instance Nr. 2 and CS didn't know
> about that.
>
>
> On 2015.07.06. 07:45, Sanjeev N wrote:
>
>> What do you mean by IP address is acquired? In Basic Networking we don't
>> have IP address acquisition concept. Also alias IPs you are manually
>> configuring on deployed vms should not be overlapped with the Guest IP
>> address range provided in that zone.
>>
>> On Fri, Jul 3, 2015 at 7:51 PM, Mārtiņš Jakubovičs <ma...@vertigs.lv>
>> wrote:
>>
>>  Hello,
>>>
>>> I test right now infrastructure with base network setup. I faced issue,
>>> if
>>> I deploy instance, I am able manually add more public IP's. For example,
>>> I
>>> deploy VM, though DHCP I acquire IP, and I can manually add alias IP
>>> addresses without problems and CloudStack still think that I use only one
>>> IP. If IP address is acquired and other user boot VM can be situation
>>> when
>>> new VM can't get public IP. Am I doing something wrong or is this kind of
>>> security "hole" in Basic Networking?
>>>
>>> Thanks.
>>>
>>>
>

Re: Basic networking issue

[Mārtiņš Jakubovičs <ma...@vertigs.lv>]

Hello,

In Basic Networking IP address acquisition is not a manual process but 
CS it self give IP's for instances. Problems is that if you configure IP 
address pool in zone, user can add all this IP addresses to one instance 
without informing CS.

Example:
IP address pool (10.11.11.1 - 10.11.11.10)
1.) Create instance. (CS will give to instance IP 10.11.11.2)
2.) In instance manually add IP's (create alias) from same subnet 
(10.11.11.3, 10.11.11.4, *without* adding secondary IP's in CS).
3.) In CloudStack you can see that instance use only one IP 
(10.11.11.2), but in reality it use whole IP pool.
4.) Deploy other instance, to which CS will give IP, which you manually 
added before to instance nr. 1 (for example, 10.11.11.3).

Instance nr. 1:
In CS use only one public IP (10.11.11.2), but in reality have 
configured 10 IP's.

Instance nr. 2:
In CS have one IP (10.11.11.3), but network didn't work, because 
Instance Nr. 1 have IP which should be added to instance Nr. 2 and CS 
didn't know about that.

On 2015.07.06. 07:45, Sanjeev N wrote:
> What do you mean by IP address is acquired? In Basic Networking we don't
> have IP address acquisition concept. Also alias IPs you are manually
> configuring on deployed vms should not be overlapped with the Guest IP
> address range provided in that zone.
>
> On Fri, Jul 3, 2015 at 7:51 PM, Mārtiņš Jakubovičs <ma...@vertigs.lv>
> wrote:
>
>> Hello,
>>
>> I test right now infrastructure with base network setup. I faced issue, if
>> I deploy instance, I am able manually add more public IP's. For example, I
>> deploy VM, though DHCP I acquire IP, and I can manually add alias IP
>> addresses without problems and CloudStack still think that I use only one
>> IP. If IP address is acquired and other user boot VM can be situation when
>> new VM can't get public IP. Am I doing something wrong or is this kind of
>> security "hole" in Basic Networking?
>>
>> Thanks.
>>

Re: Basic networking issue

[Sanjeev N <sa...@apache.org>]

What do you mean by IP address is acquired? In Basic Networking we don't
have IP address acquisition concept. Also alias IPs you are manually
configuring on deployed vms should not be overlapped with the Guest IP
address range provided in that zone.

On Fri, Jul 3, 2015 at 7:51 PM, Mārtiņš Jakubovičs <ma...@vertigs.lv>
wrote:

> Hello,
>
> I test right now infrastructure with base network setup. I faced issue, if
> I deploy instance, I am able manually add more public IP's. For example, I
> deploy VM, though DHCP I acquire IP, and I can manually add alias IP
> addresses without problems and CloudStack still think that I use only one
> IP. If IP address is acquired and other user boot VM can be situation when
> new VM can't get public IP. Am I doing something wrong or is this kind of
> security "hole" in Basic Networking?
>
> Thanks.
>