[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] RFC: virtual network access control

On 28 Jul 2006, at 15:56, Reiner Sailer wrote:

We propose to make access control decisions for packets based on the domain id-s of sender and receiver (available in the netback interfaces). sHype/ACM already offers a hypercall to retrieve a policy decision based on two domain id-s.

This does not require to map static policy rules onto dynamic IP addresses / MAC addresses or to rely on any packet content that is crafted in user domains (which the ACM does not trust).

You mean tag a packet when it arrives from a source domain and then use that if/when it boomerangs back at you on a different virtual interface?

In terms of cost, an extra hypercall per packet will have measurable cost, at least in CPU usage, for high-bandwidth network transfers.

 -- Keir

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.