[lxc-devel] [lxd/master] doc/security: Adds network security section

tomponline on Github lxc-bot at linuxcontainers.org
Mon Mar 16 16:37:46 UTC 2020


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 376 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200316/aa81a819/attachment.bin>
-------------- next part --------------
From 06d5e46eb9ff0263a0eeff3b1fb8cdd02866d49f Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Mon, 16 Mar 2020 16:35:57 +0000
Subject: [PATCH] doc/security: Adds network security section

Fixes #7026

Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
 doc/security.md | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/doc/security.md b/doc/security.md
index 5a47a4edea..6d59549157 100644
--- a/doc/security.md
+++ b/doc/security.md
@@ -201,3 +201,52 @@ Furthermore, `core.https_address` should be set to the single address where the
 server should be available (rather than any address on the host), and firewall
 rules should be set to only allow access to the LXD port from authorized
 hosts/subnets.
+
+## Network security
+
+The default networking mode in LXD is to provide a 'managed' private network bridge that each instance connects to.
+In this mode, there is an interface on the host called `lxdbr0` that acts as the bridge for the instances.
+
+The host runs an instance of `dnsmasq` for each managed bridge, which is responsible for allocating IP addresses
+and providing both authoritative and recursive DNS services.
+
+Instances using DHCPv4 will be allocated an IPv4 address and a DNS record will be created for their instance name.
+This prevents instances from being able to spoof DNS records by providing false hostname info in the DHCP request.
+
+The `dnsmasq` service also provides IPv6 router advertisement capabilities. This means that instances will auto
+configure their own IPv6 address using SLAAC, so no allocation is made by `dnsmasq`. However instances that are
+also using DHCPv4 will also get an AAAA DNS record created for the equivalent SLAAC IPv6 address.
+This assumes that the instances are not using any IPv6 privacy extensions when generating IPv6 addresses.
+
+In this default configuration, whilst DNS names cannot not be spoofed, the instance is connected to an Ethernet
+bridge and can transmit any level 2 traffic that it wishes, it can effectively do MAC or IP spoofing on the bridge.
+
+However LXD offers several `bridged` NIC security features that can be used to control the type of traffic that
+an instance is allowed to send onto the network. These NIC settings should be added to the profile that the
+instance is using, or can be added to individual instances, as show below.
+
+The following security features are available for `bridged` NICs:
+
+Key                      | Type      | Default           | Required  | Description
+:--                      | :--       | :--               | :--       | :--
+security.mac\_filtering  | boolean   | false             | no        | Prevent the instance from spoofing another's MAC address
+security.ipv4\_filtering | boolean   | false             | no        | Prevent the instance from spoofing another's IPv4 address (enables mac\_filtering)
+security.ipv6\_filtering | boolean   | false             | no        | Prevent the instance from spoofing another's IPv6 address (enables mac\_filtering)
+
+One can override the default `bridged` NIC settings from the profile on a per-instance basis using:
+
+```
+lxc config device override <instance> <NIC> security.mac_filtering=true
+```
+
+Used together these features can prevent an instance connected to a bridge from spoofing MAC and IP addresses.
+These are implemented using either `xtables` (iptables, ip6tables and ebtables) or `nftables`, depending on what is
+available on the host.
+
+It's worth noting that those options effectively prevent nested containers, at least nested containers on the
+same network as their parent.
+
+The IP filtering features block ARP and NDP advertisements that contain a spoofed IP, as well as blocking any
+packets that contain a spoofed source address.
+
+


More information about the lxc-devel mailing list