WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Live Migration Config

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Live Migration Config
From: Mark Williamson <mark.williamson@xxxxxxxxxxxx>
Date: Sun, 30 Oct 2005 01:43:56 +0000
Cc: Alan Greenspan <alan@xxxxxxxxxxx>
Delivery-date: Sun, 30 Oct 2005 01:41:16 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <004001c5dbf5$45ccfe60$600318ac@xxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <004001c5dbf5$45ccfe60$600318ac@xxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.8.3
> It's actually a huge security hole since a migrating domU carries its
> device mappings to the target machine.   Basically, you  could create domU,
> map one of its disks to say /dev/hdb, migrate it to a target machine and
> gain access to /dev/hdb on the target.   Same goes for any file used as a
> disk on the source/target dom0.

Yeah OK, it's horrid actually :-)

Xend trusts anything the incoming config tells it...  Could get nasty very 
quickly from both security and DoS perspectives.

> Minimally, Xen should implement a simple hosts.allow hosts.deny mechanism
> for migration so that a host can limit which other hosts can migrate in.  
> Relying on network isolation using a separate management network isn't
> always practical.

True...  But it only really works if you're reasonably sure attackers can't 
get root on any system.  If you have virtual machines that could have been 
rooted by someone malicious they can still spoof IP addresses, sniff the 
contents of other domUs that are currently being migrated, etc.

At least using a separate virtual lan would be nice, but there should still be 
more support in Xend for a sanely secure mixed network.  It'll come, 
eventually...

Cheers,
Mark

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users