Re: [Xen-devel] [PATCH] xen-2.0: privileged port connections

[Kurt Garloff <garloff@xxxxxxx>]

Hi,

On Wed, Mar 23, 2005 at 11:03:39AM -0600, Anthony Liguori wrote:
> >Note that NFS uses such ports without asking prior permission.
> >I chose 732 because it's unassigned indeed.
> >
> I know.  That's one of the reasons using this port worries me.  There 
> may be nfs related conflicts.

The NFS client just choses a free privileged source port as does xm.
Yes, the amount of NFS mounts is limited ...
And now xen competes with NFS, but neither should really tip over.

> >Before I start working on getting the consoles under control, I 
> >wanted to see whether this approach is acceptable at all.
> > 
> >
> How would you extend this to consoles?  Each console can't have it's own 
> privileged port :-)

Oh, that's what I was planning to do. The privileged ports are less
scarce than the 4GB of memory that Xen-2 supports ...
We'll hardly get running more than 64 virtual machines, I'd guess.

> >>5) you still have to deal with xfrd
> >
> >It seems to listen on *:8002 ... 
> >Is there no authentication either? Sigh.
> >
> Nope.  I think there are a few options.  We could use hosts.allow or 
> something similiar, we could restrict it to subnets, or we could try and 
> implement some sort of authentication mechanism.
> 
> Perhaps shutting it off by default and making it clear that it is 
> insecure is enough.

We need to document it at least. Mazbe another setting in
xend-config.sxp ...

> >And we probably need to look into the event channel (8001) as well.
> >
> Yeah.

Any insight what we could do there?

> >But for Xen-2, let's try to find a pragmatic way that enables desktop
> >users to install and test xen without raising too many security 
> >concerns.
> >
> I full-heartedly agree.  I'll gladly help out on this effort.

Thanks!

Regards,
-- 
Kurt Garloff, Director SUSE Labs, Novell Inc.

Attachment: pgpulyOVQiu7f.pgp
Description: PGP signature