WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] RFC: virtual network access control

from [Keir Fraser] [Permanent Link][Original]
To: Reiner Sailer <sailer@xxxxxxxxxx>
Subject: Re: [Xen-devel] RFC: virtual network access control
From: Keir Fraser <Keir.Fraser@xxxxxxxxxxxx>
Date: Fri, 28 Jul 2006 16:06:22 +0100
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx, xense-devel@xxxxxxxxxxxxxxxxxxx, Bryan D Payne <bdpayne@xxxxxxxxxx>
Delivery-date: Fri, 28 Jul 2006 08:06:41 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <OF2DFE85AA.9DF1602E-ON852571B9.0050F1EB-852571B9.00520B32@xxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <OF2DFE85AA.9DF1602E-ON852571B9.0050F1EB-852571B9.00520B32@xxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx 

On 28 Jul 2006, at 15:56, Reiner Sailer wrote:
We propose to make access control decisions for packets based on the domain id-s of sender and receiver (available in the netback interfaces). sHype/ACM already offers a hypercall to retrieve a policy decision based on two domain id-s.
This does not require to map static policy rules onto dynamic IP addresses / MAC addresses or to rely on any packet content that is crafted in user domains (which the ACM does not trust).
You mean tag a packet when it arrives from a source domain and then use that if/when it boomerangs back at you on a different virtual interface?
In terms of cost, an extra hypercall per packet will have measurable cost, at least in CPU usage, for high-bandwidth network transfers. 

 -- Keir


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-devel] RFC: virtual network access control, Reiner Sailer
Next by Date:  [Xen-devel] VMX status report 10756:5848356af8da, Zheng, Jeff
Previous by Thread:  Re: [Xen-devel] RFC: virtual network access control, Reiner Sailer
Next by Thread:  Re: [Xen-devel] RFC: virtual network access control, Reiner Sailer
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy