XenServer - Restrict allowed IPv6 addresses used by each VM guest

Information

Port locking prevents ARP and IP spoofing by VM guests. Without it, one guest could impersonate another on the host. This setting lists the allowed IP addresses available for the VM using this virtual interface. If the network default-locking-mode is set to 'locked', a VM that tries to use an address that is not on its allowed list will not be able to send or receive network traffic.

Solution

Set the list of allowed addresses for a virtual interface by running the following commands:


xe vif-param-add uuid=<vif-uuid> ipv6-allowed=<comma separated list of ipv6-addresses>

NOTE: This setting is only effective if the network default-locking-mode or vif locking-mode is set to 'locked'.

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv6|9.2

Plugin: Unix

Control ID: a66d87c6b5f97ffe95ed61be12684a42629cf7e44cd4c7f0bf9b34dd43248631