[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] RFC: virtual network access control

To: Reiner Sailer <sailer@xxxxxxxxxx>
From: Keir Fraser <Keir.Fraser@xxxxxxxxxxxx>
Date: Fri, 28 Jul 2006 16:06:22 +0100
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx, xense-devel@xxxxxxxxxxxxxxxxxxx, Bryan D Payne <bdpayne@xxxxxxxxxx>
Delivery-date: Fri, 28 Jul 2006 08:06:41 -0700
List-id: Xen developer discussion <xen-devel.lists.xensource.com>


On 28 Jul 2006, at 15:56, Reiner Sailer wrote:

We propose to make access control decisions for packets based on thedomain id-s of sender and receiver (available in the netbackinterfaces). sHype/ACM already offers a hypercall to retrieve a policydecision based on two domain id-s.
This does not require to map static policy rules onto dynamic IPaddresses / MAC addresses or to rely on any packet content that iscrafted in user domains (which the ACM does not trust).

You mean tag a packet when it arrives from a source domain and then usethat if/when it boomerangs back at you on a different virtualinterface?

In terms of cost, an extra hypercall per packet will have measurablecost, at least in CPU usage, for high-bandwidth network transfers.


 -- Keir


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

Follow-Ups:
- Re: [Xen-devel] RFC: virtual network access control
  - From: Reiner Sailer

References:
- Re: [Xen-devel] RFC: virtual network access control
  - From: Reiner Sailer

Prev by Date: Re: [Xen-devel] RFC: virtual network access control
Next by Date: [Xen-devel] VMX status report 10756:5848356af8da
Previous by thread: Re: [Xen-devel] RFC: virtual network access control
Next by thread: Re: [Xen-devel] RFC: virtual network access control
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.