This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] RFC: virtual network access control

On 28 Jul 2006, at 15:56, Reiner Sailer wrote:

We propose to make access control decisions for packets based on the domain id-s of sender and receiver (available in the netback interfaces). sHype/ACM already offers a hypercall to retrieve a policy decision based on two domain id-s.

This does not require to map static policy rules onto dynamic IP addresses / MAC addresses or to rely on any packet content that is crafted in user domains (which the ACM does not trust).

You mean tag a packet when it arrives from a source domain and then use that if/when it boomerangs back at you on a different virtual interface?

In terms of cost, an extra hypercall per packet will have measurable cost, at least in CPU usage, for high-bandwidth network transfers.

 -- Keir

Xen-devel mailing list