This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


RE: [Xen-users] Isolated network

To: "Florian Manschwetus" <florianmanschwetus@xxxxxx>, <Xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-users] Isolated network
From: "Jonathan Tripathy" <jonnyt@xxxxxxxxxxx>
Date: Fri, 4 Jun 2010 14:07:36 +0100
Delivery-date: Fri, 04 Jun 2010 06:11:01 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <46C13AA90DB8844DAB79680243857F0F062012@xxxxxxxxxxxxxxxxxxx> <4C08F9AA.1080304@xxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcsD5l1okDBDeJBnT4iuJMV0LSr0mgAAIn9I
Thread-topic: [Xen-users] Isolated network

From: Florian Manschwetus [mailto:florianmanschwetus@xxxxxx]
Sent: Fri 04/06/2010 14:03
To: Jonathan Tripathy
Cc: Xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Isolated network

Am 04.06.2010 11:14, schrieb Jonathan Tripathy:
> Hi everyone,

> I wish to create an isolated network that only a few DomUs can access.
> The Dom0 must not have access to this network. Public IP address will be
> routed via this isolated network, so security is important.
If you like to have network which is by no means accessible by dom0,
this impossible. Afaik, this is also true for remote exec exploits
against dom0 networkstack.
Maybe (not sure if this is possible) you could delegate the network
handling to another udom, but then the root of this udom would be able
to access these networks.
What but it is possible to use an interface as bridge target without
assigning an ip address.

> When you create a "Virtual Network" with virt-manager, it gives the new
> bridge an ipaddress..

No idea here, I configure my networking manually, so the
mac=[MAC],bridge=eth0 form is, what I'm talking about.
> Any ideas on how I could create this internal network just for the
> DomUs? Is it just a matter of removing the IP address from the bridge?

Depending on your needs crossbow maybe closer to your opinions.
A look at opensolaris as dom0 might be useful if you plan more complex
security related network setups in your virtual environment.



Hi There,

Sorry, I think I worded my post wrong. What I meant was is there a way to make sure that the DomUs can't access the Dom0, i.e. so they are on an isolated network. By default in virt-manager, the Dom0 gets attached to each bridge created...

Also, what additional features does opensolaris support?


Xen-users mailing list
<Prev in Thread] Current Thread [Next in Thread>