This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] aoe security

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] aoe security
From: Andy Smith <andy@xxxxxxxxxxxxxx>
Date: Mon, 3 Sep 2007 03:16:06 +0000
Delivery-date: Sun, 02 Sep 2007 20:16:29 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <46DB4A86.2040902@xxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Openpgp: id=BF15490B; url=http://strugglers.net/~andy/pubkey.asc
References: <46DB4A86.2040902@xxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.13 (2006-08-11)

On Sun, Sep 02, 2007 at 05:43:02PM -0600, Steven wrote:
> I've built a mini lab using 2 raid 10 file servers with drbd/HA, LVM and 
> vblade mini servers for making domU available to xen servers (dom0).
> It work like a charm and I wish I could deploy it but there is one 
> single issue which makes me quite uncomfortable to use as is: aoe security.

If all your storage traffic is going over a network unencrypted,
isn't it fairly obvious that all your security rests with the
infrastructure?  i.e. do it over a network segment that is used
only by you, for storage.

If you do AOE over a shared LAN, what a surprise, other people on
the LAN can mess with you...

Guess what, if others can send ARP packets to your machines then
screwing with your storage is the least of your worries; they will
have no problem passively sniffing all your network data as well.


Attachment: signature.asc
Description: Digital signature

Xen-users mailing list
<Prev in Thread] Current Thread [Next in Thread>