[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] NFS and interface security

> Two Xen features I like very much:
> - Virtual domains can't see each others' traffic via 'tcpdump', which
>   means that, for instance, guests using NFS root partitions are
>   relatively isolated from each other on the wire. 
> - In a virtual domain, I can't simply 'ifconfig eth0:1 ip.on.my.lan' and
>   expect it to route; i.e. virtual domains can't steal IP addresses.
> Kudos to whoever made this work right.  Am I correct in my
> interpretations here?  I.e. is this as secure as it looks?

Xen is intended to provide secure isolation; your observations
are correct.
> There's a note in TODO that says "The current virtual firewall/router is
> completely broken."  Is this still valid?

Things will be even better in the next version of the VFR ;-)
We will have L4 routing support to enable safe IP address sharing
(think RSIP).


The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.