This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Re: Network isolation - PCI passthrough question

Le 21/12/2010 19:53, Simon Hobson a écrit :
> Jean Baptiste FAVRE wrote:
>> I understand what you mean. But even if dom0 has no interface bridged, I
>> think I'll be able to listen to network traffic, no ?
> ...
>> I want to mitigate consequences if dom0 get compromised, that's why I'm
>> trying to isolate network.
> All traffic passes through a process in Dom0 - that's just the way it's
> been built. But bear this in mind, if your Dom0 is compromised then
> EVERYTHING running on that physical machine is also compromised. If you
> control Dom0, you have access to all the guests, their memory, and their
> disks - as well as their network traffic.
> In other words, worrying about someone being able to sniff network
> traffic when they've compromised your Dom0 is a bit like the captain of
> the Titanic worrying about someone helping themselves at the bar while
> the crew are distracted by an iceberg !

Hello Simon,
Well, didn't saw things like that, but must admit you're right :)

And since I don't want to be the captain of the Titanic, I think
protecting dom0 from direct access with my firewall domU is better than

Thanks all of you for helping me better understanding of Xen !

I'll now make my tests, write documentation and publish it. Will keep
you updated.


Xen-users mailing list