| Author |
Message |
egus
Joined: 03 Sep 2009
Posts: 1
|
| Posted: Thu Sep 03, 2009 10:39 pm Post subject: How Private is Private? |
|
|
Sorry for the stupid question, but I just want to make sure I understand Private IPs. So if I have two Linodes with private IPs, clearly any traffic between the two is hidden from the Internet, but is it hidden from other Linodes in the same data center? Or on the same subnet?
In other words, do I need to encrypt private IP traffic between my two Linodes, or is it impossible for anyone else to sniff my private IP traffic? |
|
| Back to top |
|
marcus0263
Joined: 21 Jul 2008
Posts: 171
Location: Seattle
|
| Posted: Thu Sep 03, 2009 10:46 pm Post subject: |
|
|
No it's not accessible from the Internet
Private Network
As for internally, you really do need take measures, I may be mistaken but everyone within Linode's network in that data center would be visible. |
|
| Back to top |
|
sackler
Joined: 03 Sep 2009
Posts: 4
|
| Posted: Thu Sep 03, 2009 10:50 pm Post subject: |
|
|
marcus0263 wrote: No it's not accessible from the Internet
Private Network
As for internally, you really do need take measures, I may be mistaken but everyone within Linode's network in that data center would be visible.
iirc, your internal (private) interface(s) are visible to other linoden in your datacenter. it's up to you to lock it down. |
|
| Back to top |
|
warewolf
Joined: 30 Apr 2005
Posts: 22
|
| Posted: Thu Sep 03, 2009 10:51 pm Post subject: |
|
|
| Because of the way caker has the linode networking stuff set up, no linode can see the traffic that isn't explicitly destined for it. |
|
| Back to top |
|
sackler
Joined: 03 Sep 2009
Posts: 4
|
| Posted: Thu Sep 03, 2009 10:51 pm Post subject: |
|
|
warewolf wrote: Because of the way caker has the linode networking stuff set up, no linode can see the traffic that isn't explicitly destined for it.
well, that's comforting :) |
|
| Back to top |
|
H3LR4ZR
Joined: 27 Apr 2009
Posts: 59
Location: Boise, ID
|
| Posted: Fri Sep 04, 2009 8:26 am Post subject: |
|
|
Thought I would maybe clarify this a bit.
You DO need to secure your ports because anyone in your datacenter can connect to services you make available via the private network.
So you should only allow IPs which you expect to communicate with.
So don't leave your memcached server exposed so that someone can come across it on a port scan and steal your data over the private net.
However, they have promiscuous mode turned off, and no broadcast/multicast stuff so you don't need to worry about someone sniffing your traffic as it goes across the wire. |
|
| Back to top |
|
fukawi2
Joined: 02 Feb 2009
Posts: 64
Location: Melbourne, Australia
|
| Posted: Sun Sep 06, 2009 11:28 pm Post subject: |
|
|
H3LR4ZR wrote: ...and no broadcast/multicast stuff...
(Sorry for the partial quote)
Broadcast is certainly enabled -- whoever has 192.168.139.100 in the Atlanta DC seems to enjoy Samba on their Linode and I keep seeing all the damn MS protocol broadcasts traffic on my Linode:
Code:
[IPTABLES REJECT] : IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:fe:fd:40:16:47:15:08:00 SRC=192.168.139.100 DST=192.168.255.255 LEN=243 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=223
[IPTABLES REJECT] : IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:fe:fd:40:16:47:15:08:00 SRC=192.168.139.100 DST=192.168.255.255 LEN=235 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=215
[IPTABLES REJECT] : IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:fe:fd:40:16:47:15:08:00 SRC=192.168.139.100 DST=192.168.255.255 LEN=243 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=223
[IPTABLES REJECT] : IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:fe:fd:40:16:47:15:08:00 SRC=192.168.139.100 DST=192.168.255.255 LEN=235 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=215 |
|
| Back to top |
|
| |
