WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xense-devel

[Xen-devel] Re: RFC: virtual network access control

On 28/07/06 12:30 -0400, Reiner Sailer wrote:

  > In terms of cost, an extra hypercall per packet will have measurable
  > cost, at least in CPU usage, for high-bandwidth network transfers.
  >
  >   -- Keir
  >
  You only make the decision once for the first packet exchanged between
  two interfaces. Afterwards you reuse this decision for this interface
  pair (local cache). You basically have the cost of looking up a
  decision locally.

This is a key principle of "shype" - that they hypervisor authorizes
the channel when it to be set up. As long as the channel persists
unchaged (no additional parties, not policy modifications) there is no
need to perform further authorization. It performs a different level
of authorization than packet filtering does, and it is another layer
of depth in a multi-layer defense.

Mike


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel