[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Xen networking concepts



On Tue, 2005-12-20 at 13:46 +0100, Renà Pfeiffer wrote:
> Hello!
> 
> After some sleep and not poking around in the configs some questions
> were answered.
> 
> On Dec 20, 2005 at 0928 -0200, Fernando Maior appeared and said:
> > 
> > With Xen 3.0 you cannot pin down vif names. Besides, there is no need for
> > that if you are using the scripts that come with Xen to start the network
> > and bind the vifs to the bridges.
> 
> That's something I understood yesterday. The vifs are bound to the
> bridges given in the domain's config file. Also my kernel wasn't ready
> to handle multiple dummy devices (the dummy driver has to be a module to
> have this feature). In addition to that I thought that I can use the Xen
> network scripts for the creation of all devices necessary, but now I
> believe it is better to use extra scripts to handle everything besides
> Xen's xenbr0 and its virtual interfaces.
> 
> > If I may try to help you, there are some scripts and considerations.
> > 
> > In dom0, create two bridges. I will call them switches, because that is
> > what they really are like. [...]
> 
> I will give this a shot and see how it works. Many thanks!
> 
> Best,
> Lynx.
> 
Fernando made a really important point that I hope didn't slip by.  Your
original e-mail described binding an external IP address to Dom0.  I
would recommend never doing such a thing.  If someone compromises dom0,
they have everything.

We use Xen virtualized VPN gateways in the open source ISCS network
security management project (http://iscs.sourceforge.net) with a
slightly simply set up than Fernando's.  But the idea is still the same,
We heavily shield dom0 with no IP addresses bound to the public
interface and pass all external traffic through the firewall as you
proposed.

By the way, we also prefer to have a separate VPN gateway through which
we administer the Xen server with its various VPN gateways for our
clients.  This way, if there is a problem in the domU that can be
addresses from the dom0, we have not cut ourselves off from remote
administration.  Hope this helps - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@xxxxxxxxxxxxxxxxxxx

Financially sustainable open source development
http://www.opensourcedevel.com


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.