[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] RFC: virtual network access control

The problem: domain0 does not enforce the access control policy on network packets that it forwards between different user domains.

We would like to propose a solution that solves this problem now. Next generation security enhancements may present better ways to solve this problem and we are looking forward to contributing to them as well.

Looking at options for a solution for the current version of Xen, we propose netback as the place to enforce the policy. XM tools are not in the network path and do not resolve this problem. Therefore, this problem is different from the general resource access control problem (eg. blockback).

We also thought of extending packet filtering on MAC or IP level but it these options add new software package dependencies, e.g., ebtables or iptables. In addition, re-using existing iptables filters would require switching off the bridge and managing point-to-point rules for a potentially large number of user domains.

We appreciate feedback on the netback approach and we are open to other suggestions that solve this problem.

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.