This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-devel] Re: RFC: virtual network access control

On 28/07/06 12:30 -0400, Reiner Sailer wrote:

  > In terms of cost, an extra hypercall per packet will have measurable
  > cost, at least in CPU usage, for high-bandwidth network transfers.
  >   -- Keir
  You only make the decision once for the first packet exchanged between
  two interfaces. Afterwards you reuse this decision for this interface
  pair (local cache). You basically have the cost of looking up a
  decision locally.

This is a key principle of "shype" - that they hypervisor authorizes
the channel when it to be set up. As long as the channel persists
unchaged (no additional parties, not policy modifications) there is no
need to perform further authorization. It performs a different level
of authorization than packet filtering does, and it is another layer
of depth in a multi-layer defense.


Xen-devel mailing list