xen-devel

[Top] [All Lists]

[Xen-devel] RFC: virtual network access control

from [Reiner Sailer]

[Permanent Link][Original]

To:	xen-devel@xxxxxxxxxxxxxxxxxxx, xense-devel@xxxxxxxxxxxxxxxxxxx
Subject:	[Xen-devel] RFC: virtual network access control
From:	Reiner Sailer <sailer@xxxxxxxxxx>
Date:	Thu, 27 Jul 2006 16:51:54 -0400
Cc:	Bryan D Payne <bdpayne@xxxxxxxxxx>
Delivery-date:	Thu, 27 Jul 2006 13:52:31 -0700
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxx
List-help:	<mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id:	Xen developer discussion <xen-devel.lists.xensource.com>
List-post:	<mailto:xen-devel@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender:	xen-devel-bounces@xxxxxxxxxxxxxxxxxxx

The problem: domain0 does not enforce the access control policy on network packets that it forwards between different user domains.

We would like to propose a solution that solves this problem now. Next generation security enhancements may present better ways to solve this problem and we are looking forward to contributing to them as well.

Looking at options for a solution for the current version of Xen, we propose netback as the place to enforce the policy. XM tools are not in the network path and do not resolve this problem. Therefore, this problem is different from the general resource access control problem (eg. blockback).

We also thought of extending packet filtering on MAC or IP level but it these options add new software package dependencies, e.g., ebtables or iptables. In addition, re-using existing iptables filters would require switching off the bridge and managing point-to-point rules for a potentially large number of user domains.

We appreciate feedback on the netback approach and we are open to other suggestions that solve this problem.

Reiner

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Xen-devel] RFC: virtual network access control, Reiner Sailer <= RE: [Xen-devel] RFC: virtual network access control, Caitlin Bestler Re: [Xen-devel] RFC: virtual network access control, Keir Fraser Re: [Xen-devel] RFC: virtual network access control, Reiner Sailer Re: [Xen-devel] RFC: virtual network access control, Keir Fraser Re: [Xen-devel] RFC: virtual network access control, Reiner Sailer Re: [Xen-devel] RFC: virtual network access control, Keir Fraser Re: [Xen-devel] RFC: virtual network access control, Reiner Sailer [Xen-devel] Re: RFC: virtual network access control, Mike Day Re: [Xen-devel] RFC: virtual network access control, Harry Butterworth Re: [Xen-devel] RFC: virtual network access control, Gerd Hoffmann

Previous by Date:	[XenPPC] [patch] [ppc] use xen_ulong_t in start_info, Hollis Blanchard
Next by Date:	RE: [Xen-devel] RFC: virtual network access control, Caitlin Bestler
Previous by Thread:	[XenPPC] [patch] [ppc] use xen_ulong_t in start_info, Hollis Blanchard
Next by Thread:	RE: [Xen-devel] RFC: virtual network access control, Caitlin Bestler
Indexes:	[Date] [Thread] [Top] [All Lists]