KVM static internal networking without host bridge interface (virbr)
How to set up an internal network between two KVM network interfaces while using static networking (avoiding dnsmasq) and while avoiding a host bridge interface (virbr)? Currently I am using this for the network. <network> <name>Internal</name> <bridge name='virbr2' stp='on' delay='0'/> </network> And then for the VM. <interface type='network'> <source network='Internal'/> <model type='virtio'/> <driver name='qemu'/> </interface> * I would like to avoid the host `virbr2` interface. This is because ideally package sniffers on the host such as tshark / wireshark would be unable to see these packages following between an internal network between two VMs. * SLIRP should be avoided due to past security issues. [1] * dnsmasq on the host operating system or inside the VMs should also be avoided in favor of static IP addresses. By comparison, this is possible in VirtualBox. [2] Is that possible with KVM too? Could you please show an example configuration file on how to accomplish that? [1] CVE-2019-6778 [2] VirtualBox has this capability. VirtualBox can have an internal network using static networking. No vibr bridge interfaces can be seen on the host operating system. And VM to VM internal traffic is not visible to package analyzers on the host operating system either. Regards, Daniel -- Daniel Winzen Steinkaulstr. 47 52070 Aachen Germany Web: https://danwin1210.de/ E-Mail: daniel@danwin1210.de Phone: +49 176 98819809 PGP-Key: https://danwin1210.de/pgp.txt
How to set up an internal network between two KVM network interfaces while using static networking (avoiding dnsmasq) and while avoiding a host bridge interface (virbr)?
I am also not using any network config in libvirt. All hosts have same vlans and interfaces and I just use a macvtap on these interfaces.
* I would like to avoid the host `virbr2` interface. This is because ideally package sniffers on the host such as tshark / wireshark would be unable to see these packages following between an internal network between two VMs.
every macvtap is different interface you can easily tcpdump on.
* dnsmasq on the host operating system or inside the VMs should also be avoided in favor of static IP addresses.
I have this also
Thanks for your response. Setting up macvtap is not a feasible solution for our use case. Essentially our use case is that we have two VMs and for security reasons we want to isolate these VMs as much as possible, as they are handling potentially sensitive information. One of the VMs acts as gateway with internet access, the other VM is used by the user. Given that potentially sensitive information is flowing between the two VMs, we want to prevent the host from being able to sniff on the traffic between the two VMs. Is that possible in any way? If so, how can we prevent the host to see traffic of the internal network? On 20.07.24 19:59, Marc wrote:
How to set up an internal network between two KVM network interfaces while using static networking (avoiding dnsmasq) and while avoiding a host bridge interface (virbr)?
I am also not using any network config in libvirt. All hosts have same vlans and interfaces and I just use a macvtap on these interfaces.
* I would like to avoid the host `virbr2` interface. This is because ideally package sniffers on the host such as tshark / wireshark would be unable to see these packages following between an internal network between two VMs.
every macvtap is different interface you can easily tcpdump on.
* dnsmasq on the host operating system or inside the VMs should also be avoided in favor of static IP addresses.
I have this also
-- Daniel Winzen Steinkaulstr. 47 52070 Aachen Germany Web: https://danwin1210.de/ E-Mail: daniel@danwin1210.de Phone: +49 176 98819809 PGP-Key: https://danwin1210.de/pgp.txt
Given that potentially sensitive information is flowing between the two VMs, we want to prevent the host from being able to sniff on the traffic between the two VMs. Is that possible in any way? If so, how can we prevent the host to see traffic of the internal network?
So why not have ipsec traffic between both? I think this is the only thing you can do against sniffing from the host. Although I don't really get if you can ever secure guests against their hosts.
participants (2)
-
Daniel -
Marc