 Home |
Products |
Support |
Community |
News |
xen-users
Re: [Xen-users] Re: Live Migration Config
| To: | xen-users@xxxxxxxxxxxxxxxxxxx |
|---|---|
| Subject: | Re: [Xen-users] Re: Live Migration Config |
| From: | Nigel Head <nigel.head@xxxxxxxxx> |
| Date: | Mon, 31 Oct 2005 06:41:55 +0100 |
| Delivery-date: | Mon, 31 Oct 2005 05:39:04 +0000 |
| Domainkey-signature: | a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=IlhCx7+j0XfcAcfbToEUasjToMJ7hzC5XU/oCh30kH50Qk100ywhFd1v+mSgaq0EOQWkFTxb/zi1tsc+nhUM55nYulVxLHbpJM9pBDzwjt4a/zEPG+U+b7gtgygZGG29vBi8N9URl/qk7Cko+9Em6jJYD+fBq7J9RS3DKScmHtI= |
| Envelope-to: | www-data@xxxxxxxxxxxxxxxxxxx |
| In-reply-to: | <43658BF5.2000404@xxxxxxxxxx> |
| List-help: | <mailto:xen-users-request@lists.xensource.com?subject=help> |
| List-id: | Xen user discussion <xen-users.lists.xensource.com> |
| List-post: | <mailto:xen-users@lists.xensource.com> |
| List-subscribe: | <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe> |
| List-unsubscribe: | <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe> |
| References: | <A95E2296287EAD4EB592B5DEEFCE0E9D32E69B@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <43655C71.9080702@xxxxxxxxxx> <000d01c5ddb5$b890e5d0$6e01a8c0@green2> <43658BF5.2000404@xxxxxxxxxx> |
| Sender: | xen-users-bounces@xxxxxxxxxxxxxxxxxxx |
|
On 10/31/05, Anthony Liguori <aliguori@xxxxxxxxxx> wrote: Now, as this is surely not fresh news to most of you, what is wrong with my definition of 'best' ??[...] To enable migration from specific Or from anyone claiming to have ip address 192.168.1.100 ... I'm quite sure that the best (for my definition of 'best' of course) way to do this is not via firewalling, because of the above spoofing possibilities, but also not by complicating the xen tools themselves. I'd like to come back again to the 'VPN' type solution discussion. I know that a full VPN setup is sufficiently complex that I've always been scared away from trying, but I have the feeling that it wouldn't be too terribly difficult to setup some wrapper type functionality so that ssh could be used to build a 'tunnel' to the target machine and connections to the target xfrd could then be made from, and limited to, 127.0.0.1 on the target machine. While I haven't plunged through the xfrd code to see how a tunnel create/destroy script could be built in I don't imagine it would be too terrible. There is a lot of precedent for using ssh this way ('rsync -e ssh' etc), it is as secure as you are likely to want, and it's easier than trying to add credential support directly into the tools themselves, as well as being more in the *nix spirit of combining what you already have. For small setups, this could be done statically using port forwarding (with something like Vtun, if you prefer virtual devices) ... the dynamic variant would only be needed where there are too many systems to build static interconnects from everywhere to everywhere else. In security terms, if ssh is compromised on any of my systems they're dead in the water anyway, so using ssh for this wouldn't seem to add any risk that I haven't already accepted. I'm going to try this out as soon as my day job leaves me enough time ... which won't be for a while I'm afraid. -- N. _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [Xen-users] booting into gentoo, Matthew Walster |
|---|---|
| Next by Date: | Re: [Xen-users] Re: Live Migration Config, Alan Greenspan |
| Previous by Thread: | Re: [Xen-users] Re: Live Migration Config, Anthony Liguori |
| Next by Thread: | [Xen-users] Re: Live Migration Config, Charles Duffy |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
