WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] what protocol is used for migration

from [Anthony Liguori] [Permanent Link][Original]
To: Anthony.Golia@xxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] what protocol is used for migration
From: Anthony Liguori <aliguori@xxxxxxxxxx>
Date: Tue, 24 Jan 2006 10:55:44 -0600
Cc: Ralph Passgang <ralph@xxxxxxxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 24 Jan 2006 17:04:42 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <Pine.LNX.4.58.200601240943330.25676@xxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <Pine.LNX.4.58.200601231700270.25676@xxxxxxxxxxxx> <200601240031.51550.ralph@xxxxxxxxxxxxx> <Pine.LNX.4.58.200601240943330.25676@xxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0.7 (X11/20051013) 
Anthony.Golia@xxxxxxxxxxxxxxxxx wrote:


thx.  one can migrate stateless (diskless) domUs that have their storage
on NFS and no SAN.  forgot about VPNs like ssh tunnel, etc.  if the
migration protocol uses one or two UDP or TCP ports it would lend itself
well to that, thx a lot.
The problem with using a tunnel is that without appropriate throttling you'll eat up a lot of CPU since you're copying a lot of data over the wire.
The protocol is very simplistic btw, pages (with their addresses) are sent over the wire and then finalized by transfering the configuration over. There are no protections against any sort of man-in-the-middle either so it's quite trivial to inject random badness into vms as they're migrated.
There is no authorization either for instantiating virtual machine migrations. If you've got got relocation enable, you should have it bound to a secure and isolated physical lan. Otherwise, you've got a security nightmare... 

Regards,

Anthony Liguori


On Mon, 23 Jan 2006, Ralph Passgang wrote:


Am Montag, 23. Januar 2006 23:01 schrieb Anthony.Golia@xxxxxxxxxxxxxxxxx:

hi.  is there a whitepaper that talks about the details of copying the VM
image across the network.  i.e. is that encrypted in any way?

I don't know if there is a whitepaper available, but for what I can say the
transfer is unencrypted at all.

I think that is not really a problem, because if you want to migrate vm's you
have to use a san anyway. On a migration only the memory and some states will
be send over network. If you use a seperated network for the network attached
storage (san), then you can also safely migrate domainUs over the san network
without using the "wan" interface of your xen host. You can firewall the
migration ports on the wan side or just letting xend bind to the san network
interface.

Migration domUs over long distance will not work (because you need the current
disk data on the other side too and because of the arp/mac-takeover (so you
your destination host has to be in the same layer2 network)). I think there
is no need for encryption, but if you really need it, why not using a vpn
(for example openvpn) for securing network traffic between the both xen
hosts? Or in a layer 2 network (what you need to do this anyway) use a
dedicated vlan or something like that. There are many possibilities for
securing network traffic, xen really doesn't need to take care of your
network security (at least in my humble opinion).


Cheers,
Anthony

--Ralph


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users






Cheers,
Anthony

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users




_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] what protocol is used for migration, Tim Freeman
Next by Date:  [Xen-users] Re: How was CoW implemented on the Demo LiveCD (3.0) ??, Rickard Borgmäster
Previous by Thread:  Re: [Xen-users] what protocol is used for migration, Tim Freeman
Next by Thread:  [Xen-users] Memmory "leak" using 32bit userspace with 64bit Xen kernel, Goetz Bock
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy