What ensures the lack of VM IP address duplicates?
4 views
Skip to first unread message
qubist
Apr 22, 2024, 3:20:22 PMApr 22
to qubes...@googlegroups.com
Hi,
Which particular code is responsible for ensuring that 2 or more VMs
can never have the same IP (or IPv6) address?
Which particular code is responsible for ensuring that 2 or more VMs
can never have the same IP (or IPv6) address?
Marek Marczykowski-Górecki
Apr 22, 2024, 3:35:04 PMApr 22
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
They are generated by default based on qubes VM ID (qid)[1], which are
unique. You can see it on `qvm-ls -O name,qid,ip`. But you can also set
the IP explicitly (via qvm-prefs), and then it's up to you to avoid
conflicts.
BTW, it's also possible hide VM's "real" IP from the VM itself using a
bit of NAT magic. You can set it with `qvm-features VMNAME net.fake-ip
1.2.3.4` (or any other IP). See qvm-features man page for details.
The VM will see own address as 1.2.3.4. Address set this way does not
need to be unique - you can have a set of VMs that all think they have
the same IP (but still, the address set in the "ip" property needs to be
unique).
[1] https://github.com/QubesOS/qubes-core-admin/blob/main/qubes/vm/mix/net.py#L192
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmYmu+EACgkQ24/THMrX
1yzM1QgAio17EE6Vyh2Q5cbbbWewEcKzslW7WugCHlciSr9Z7BU2JWnDv6lLvvp3
4u1wXpkWHK8Ug90MTwzoOykX7f7hHBxtZBu5Z0iewKzKzZiMNBhPIGE6lcdva8Dx
Arl+wdoXN+DPjhAxkC/DRlMHA6gKSNEZSQXw8G2cjpxTGVpp/Gpjmt9R08EFFlbh
MR9RLPxT/nugz5nhKl2TTdsko+pC2FZlBGpk6czVErkbE24iAnyxG6gr1WX3/qk1
chXi3BOSQgNUUp52tc3BXPhgOcCFfwLLkxKN/IEjSXl8D7fkvinTpvHs1Kyzs/9x
zyT5JTduRDmIYHGNQ+rYsBQH7cUmEg==
=HCu4
-----END PGP SIGNATURE-----
Hash: SHA256
unique. You can see it on `qvm-ls -O name,qid,ip`. But you can also set
the IP explicitly (via qvm-prefs), and then it's up to you to avoid
conflicts.
BTW, it's also possible hide VM's "real" IP from the VM itself using a
bit of NAT magic. You can set it with `qvm-features VMNAME net.fake-ip
1.2.3.4` (or any other IP). See qvm-features man page for details.
The VM will see own address as 1.2.3.4. Address set this way does not
need to be unique - you can have a set of VMs that all think they have
the same IP (but still, the address set in the "ip" property needs to be
unique).
[1] https://github.com/QubesOS/qubes-core-admin/blob/main/qubes/vm/mix/net.py#L192
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmYmu+EACgkQ24/THMrX
1yzM1QgAio17EE6Vyh2Q5cbbbWewEcKzslW7WugCHlciSr9Z7BU2JWnDv6lLvvp3
4u1wXpkWHK8Ug90MTwzoOykX7f7hHBxtZBu5Z0iewKzKzZiMNBhPIGE6lcdva8Dx
Arl+wdoXN+DPjhAxkC/DRlMHA6gKSNEZSQXw8G2cjpxTGVpp/Gpjmt9R08EFFlbh
MR9RLPxT/nugz5nhKl2TTdsko+pC2FZlBGpk6czVErkbE24iAnyxG6gr1WX3/qk1
chXi3BOSQgNUUp52tc3BXPhgOcCFfwLLkxKN/IEjSXl8D7fkvinTpvHs1Kyzs/9x
zyT5JTduRDmIYHGNQ+rYsBQH7cUmEg==
=HCu4
-----END PGP SIGNATURE-----
qubist
Apr 23, 2024, 4:45:46 AMApr 23
to qubes...@googlegroups.com
Thanks.
What about MAC addresses? Why do all VMs use the same one?
Aren't MAC addresses required to be unique on the same subnet?
What about MAC addresses? Why do all VMs use the same one?
Aren't MAC addresses required to be unique on the same subnet?
Marek Marczykowski-Górecki
Apr 23, 2024, 6:07:21 AMApr 23
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
effectively a separate "subnet" with just two endpoints (eth0 interface
in one VM and vif interface in the other). We do not use bridges.
If you like, you can set any mac address using qvm-prefs, and here you
don't need to worry about its uniqueness :)
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
1ywSuwgAk2YpFfGWkH7umkloeLwBuBo+IlNu5AxjP7gji2WSQZpZKLW4hDJAKO/K
+c/5zbvh/TORyT2/4KB/RxpilvpRsgGLPdFf8f36coUGywDu8Gk3EXtAG+r6hPyY
ryVXD3UEj54F5+MEYmlRU1GfGLOFJ9u/WG7tDDnPDs4EmIgLzJWbQUswnXTfWmyP
fHuT3gJW9+AcJ1ADYpupbT271YYv2mbNBL3mWOt0d9F2cBSWPbDKTin92O9/EzLi
cd2T0OCoUhPcF8F8P5ZT/rzuCe2K+Y1ovoGSsy4Wr2wjaZVxEF4ZuuSaKLtFQKUm
nnKZa2vOzaOBMPKW6F45XjC0MxaNcg==
=mTeN
-----END PGP SIGNATURE-----
qubist
Apr 23, 2024, 6:16:16 AMApr 23
to qubes...@googlegroups.com
On Tue, 23 Apr 2024 12:07:12 +0200 Marek Marczykowski-Górecki wrote:
> Yes, the key part is "on the same subnet". Each VM-VM link is
> effectively a separate "subnet" with just two endpoints (eth0
> interface in one VM and vif interface in the other). We do not use
> bridges.
I see. What about the case of a custom virtual LAN, involving multiple
> Yes, the key part is "on the same subnet". Each VM-VM link is
> effectively a separate "subnet" with just two endpoints (eth0
> interface in one VM and vif interface in the other). We do not use
> bridges.
VMs (still routed by sys-firewall)? Wouldn't same MACs create a problem?
> If you like, you can set any mac address using qvm-prefs, and here you
> don't need to worry about its uniqueness :)
Marek Marczykowski-Górecki
Apr 23, 2024, 6:21:05 AMApr 23
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
On Tue, Apr 23, 2024 at 10:15:56AM -0000, qubist wrote:
> On Tue, 23 Apr 2024 12:07:12 +0200 Marek Marczykowski-Górecki wrote:
>
> > Yes, the key part is "on the same subnet". Each VM-VM link is
> > effectively a separate "subnet" with just two endpoints (eth0
> > interface in one VM and vif interface in the other). We do not use
> > bridges.
>
> I see. What about the case of a custom virtual LAN, involving multiple
> VMs (still routed by sys-firewall)? Wouldn't same MACs create a problem?
You mean using something else than vif-route-qubes network script (or
> On Tue, 23 Apr 2024 12:07:12 +0200 Marek Marczykowski-Górecki wrote:
>
> > Yes, the key part is "on the same subnet". Each VM-VM link is
> > effectively a separate "subnet" with just two endpoints (eth0
> > interface in one VM and vif interface in the other). We do not use
> > bridges.
>
> I see. What about the case of a custom virtual LAN, involving multiple
> VMs (still routed by sys-firewall)? Wouldn't same MACs create a problem?
some other way to reconfigure vif interfaces)? I don't think we allow to
choose network script, and that's the place (libvirt config) where mac
address is set too. So, if you change one, you can very well change the
other too.
> > If you like, you can set any mac address using qvm-prefs, and here you
> > don't need to worry about its uniqueness :)
>
> Is this what one must do for the case described above?
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
1yw9Sgf+NOHAGPeFQsau37qM4QOerQKJUHzUxrxVAtGKUonXIrGVkGCU5EnQEAbb
iSMsObPO90kR5l+vNKCZt+xOAsMp9KWUSZ/EnwIwklSo5VNRPw0s4PexFD+etosH
gW9UMopmhfder4XwQ6IPnK4mSITpuMGZDecOJJ2xLnGaQHaOBOQJ5FihWQxN3bEQ
9oXVGEwMvy1EhbuWBJR9/XFRqhys1jSsVKaI5agseiMnZbjO39XMpSy83V2FXI0L
UmFg4uWwaQJ+Z1DqFJDPz5QvBWNbx4pteMZJh2NhNUVbA+VuxdnNUsPs/w8/vFiE
abqln1OBrTP5zJVKTb2S22imt/EC8A==
=G/a6
-----END PGP SIGNATURE-----
qubist
Apr 23, 2024, 7:22:30 AMApr 23
to qubes...@googlegroups.com
On Tue, 23 Apr 2024 12:20:57 +0200 Marek Marczykowski-Górecki wrote:
> You mean using something else than vif-route-qubes network script (or
> some other way to reconfigure vif interfaces)?
I don't know if I mean that as I have not studied that script
> You mean using something else than vif-route-qubes network script (or
> some other way to reconfigure vif interfaces)?
thoroughly. What I mean is in the general sense: the assumption that
MAC addresses should be unique within a LAN. I don't know how that is
related to bridge/no-bridge.
Marek Marczykowski-Górecki
Apr 23, 2024, 7:44:53 AMApr 23
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
has its own subnet.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
1yzpQwf5AdjX3W7HnDGP8KUv4cUHRh1Wt6yjFLLS0gl23LYof1G2CNLl/cW5yD8z
bexAA4QfRCqXlslG8CJrMr9WuIY3cqjTHdtF3kUFrhA3DgSTHgD+nk9eijVRyvTL
yTKfWXgfjmTQfz8DgbF4GtdZ2QNIDwgu3fN0O34YXwpnQBROmZzPk/E/ByciMenz
rZhgSYaCGcJYQjImorKWqVHMS4no5xHnT1KpyOMMzFgYIn3jmIo8XBrX+E7KPrg5
4C3vVEE629s1FVLKJoCnHgCDDLJhgz27HravlS63ExEsVHdqo4UHgNcJIM7wgOtK
GClKQo4Qr2et6bjt2CBqc6WDB1yWrg==
=q2ME
-----END PGP SIGNATURE-----
qubist
Apr 23, 2024, 7:58:56 AMApr 23
to qubes...@googlegroups.com
OK. Thanks.
Reply all
Reply to author
Forward
0 new messages