[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Re: Network isolation - PCI passthrough question



Le 20/12/2010 23:45, dave a écrit :
>> As far as I have seen, there are no way to attach domU nic directly to
>> my firewall domU. So, dom0 will always have access to network traffic
>> from domU, right ?
> only if you add dom0 interface to bridge.  for example:
> domu-2  :  tap2  --|
> domu-1  :  tap1  --|
> domu-fw :  tapfw --|
>                    |
>               tap-br0
>                    |
> dom0    :  tap0  --|
> 
> so only do
> brctl addif tap-br0 tap0
> when dom0 needs to join the LAN, then
> brctl delif tap-br0 tap0
> when you want dom0 to leave the LAN.
> 
> Again, I'm not sure if this is what you're trying to do, but it will
> isolate dom0 from your virtual LAN.

Hello,
I understand what you mean. But even if dom0 has no interface bridged, I
think I'll be able to listen to network traffic, no ?

That is, a tcpdump -i tap-br0 will display network traffic from domU,
right ?
Then, what if I want to block that ? Will I have to use VPN (either SSL
or IPSEC) in order to make dom0 unable to listen for traffic ? Is it
realistic ?

I want to mitigate consequences if dom0 get compromised, that's why I'm
trying to isolate network.

Thanks for all explanations, I've many things to test now :)

Regards,
JB

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.