WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Recipe for 'Thin Domain 0' request

To: Rik van Riel <riel@xxxxxxxxxx>
Subject: Re: [Xen-users] Recipe for 'Thin Domain 0' request
From: Tupshin Harper <tupshin@xxxxxxxxxxx>
Date: Mon, 04 Apr 2005 14:34:33 -0700
Cc: "William \(Andy\) Smith" <romaq@xxxxxxxxxxxxxxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 04 Apr 2005 21:34:38 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <Pine.LNX.4.61.0504041325190.12043@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <E1DIDuk-0004aL-1k@host-192-168-0-1-bcn-london> <Pine.LNX.4.61.0504041325190.12043@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Debian Thunderbird 1.0 (X11/20050116)
Rik van Riel wrote:

On Sun, 3 Apr 2005, William (Andy) Smith wrote:

I would need to prove the theory that I can isolate the NIC device and its traffic from Domain 0 and all other domains in a firewall application.

I guess you could do the following, where I assume that
eth1 contains your untrusted traffic:

[eth1] <-> [xen-br1] <-> domU firewall <-> [xen-br0] <-> [eth0]
(no IP)                                    (dom0's IP)

This way eth0 is firewalled from external network traffic.
Yes, the packets will travel through dom0 to get to the
domU firewall - but dom0 does not have any IP addresses
before that firewall, so it will be much harder to attack.

This is exactly what I do, and it works great. I find it hard to imagine a succesful attck against the dom0 when it doesn't have an IP address on the interface. I guess if you were really paranoid, you would do PCI delegation of that NIC to the domU, but I'm not (that paranoid).

-Tupshin

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>