[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Re: Live Migration Config


  • To: xen-users@xxxxxxxxxxxxxxxxxxx
  • From: Nigel Head <nigel.head@xxxxxxxxx>
  • Date: Mon, 31 Oct 2005 06:41:55 +0100
  • Delivery-date: Mon, 31 Oct 2005 05:39:04 +0000
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=IlhCx7+j0XfcAcfbToEUasjToMJ7hzC5XU/oCh30kH50Qk100ywhFd1v+mSgaq0EOQWkFTxb/zi1tsc+nhUM55nYulVxLHbpJM9pBDzwjt4a/zEPG+U+b7gtgygZGG29vBi8N9URl/qk7Cko+9Em6jJYD+fBq7J9RS3DKScmHtI=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>


On 10/31/05, Anthony Liguori <aliguori@xxxxxxxxxx> wrote:
[...]  To enable migration from specific
addresses, you would then say:

  iptables -I INPUT -p tcp --source 192.168.1.100 --destination-port
8002 -j ACCEPT

Or from anyone claiming to have ip address 192.168.1.100  ...

I'm quite sure that the best (for my definition of 'best' of course) way to do this is not via firewalling, because of the above spoofing possibilities, but also not by complicating the xen tools themselves. I'd like to come back again to the 'VPN' type solution discussion.

I know that a full VPN setup is sufficiently complex that I've always been scared away from trying, but I have the feeling that it wouldn't be too terribly difficult to setup some wrapper type functionality so that ssh could be used to build a 'tunnel' to the target machine and connections to the target xfrd could then be made from, and limited to, 127.0.0.1 on the target machine. 

While I haven't plunged through the xfrd code to see how a tunnel create/destroy script could be built in I don't imagine it would be too terrible. There is a lot of precedent for using ssh this way ('rsync -e ssh' etc), it is as secure as you are likely to want, and it's easier than trying to add credential support directly into the tools themselves, as well as being more in the *nix spirit of combining what you already have.

For small setups, this could be done statically using port forwarding (with something like Vtun, if you prefer virtual devices) ... the dynamic variant would only be needed where there are too many systems to build static interconnects from everywhere to everywhere else.

In security terms, if ssh is compromised on any of my systems they're dead in the water anyway, so using ssh for this wouldn't seem to add any risk that I haven't already accepted.

I'm going to try this out as soon as my day job leaves me enough time ... which won't be for a while I'm afraid.



Now, as this is surely not fresh news to most of you, what is wrong with my definition of 'best' ??


--
N.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.