[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Xen 4.2 - Security on Live Migration

To: Sylvain Munaut <s.munaut@xxxxxxxxxxxxxxxxxxxx>
From: Katerina Mparmpopoulou <kate_mparmpop@xxxxxxxxxxx>
Date: Wed, 27 Feb 2013 21:21:44 +0100
Cc: "xen-users@xxxxxxxxxxxxx" <xen-users@xxxxxxxxxxxxx>, Ian Campbell <Ian.Campbell@xxxxxxxxxx>
Delivery-date: Wed, 27 Feb 2013 20:22:52 +0000
List-id: Xen user discussion <xen-users.lists.xen.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/27/2013 08:41 PM, Sylvain Munaut wrote:
> Hi,
> 
>> In previous version I could create client/server pairs and I used
>> to save them in etc/xen/xend-config.sxp, like this:
>> 
>> (xend-relocation-server-ssl-key-file   my_server.key) 
>> (xend-relocation-server-ssl-cert-file  my_server.crt)
> 
> Did you actually check the code to see what it does ?
> 
> AFAICT, it just setups a SSL server using those, but it does no 
> validation whatsoever that the client that connects is using a
> valid cert, nor does the client check anything about the server
> certificate ...
> 
> Cheers,
> 
> Sylvain

Hi Sylvain,

thx for your reply! actually i didn't check any code because it is
mentioned in the man file of xend-config.sxp:

"Note that relocation is currently unsecured and is very dangerous if
left enabled. No authentication is performed, and very little sanity
checking takes place. Enable at your own risk."

http://xenbits.xen.org/docs/unstable/man/xend-config.sxp.5.html

Now that I have switched to Xen-4.2.1 i'm searching from where i could
modify security options considering live migration, like allowing only
specific hosts or using ssl.

Katerina


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJRLmrYAAoJEIrShLVVnSKrjbEH/RytkqLkrdpbZB1L5sakq4vs
eyxArVvoYgws+VxKVygcBa7hkoceZvmMXtpJmdKI3qWag/ivv1hyFy1aOPuuRSmv
XplMxlpvhHKnw0fsY7kCQ1kD+ooeE8s/ttYcSwjJRCex0qQ6LDBZYuldQxWWEop7
uM6063dWg6xnA0LIbo1pd9yNaub7A9I+F9fsiQHLFNWH42L7VKQeWUncsZ0tn24p
Z32kueGKFbYWIVdRi0ngucLgqyW+d31+nWpOttMyX/k1PhWNhfKhbQN6NNU2xaiS
CjpBILXxm68y8zSAMZbW1m/7dWQ0veq0sBNIKbwh/0nzG9DWo+zWIuCLkmh0584=
=hFVR
-----END PGP SIGNATURE-----

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

References:
- [Xen-users] Xen 4.2 - Security on Live Migration
  - From: Katerina Mparmpopoulou
- Re: [Xen-users] Xen 4.2 - Security on Live Migration
  - From: Ian Campbell
- Re: [Xen-users] Xen 4.2 - Security on Live Migration
  - From: Katerina Mparmpopoulou
- Re: [Xen-users] Xen 4.2 - Security on Live Migration
  - From: Ian Campbell
- Re: [Xen-users] Xen 4.2 - Security on Live Migration
  - From: Katerina Mparmpopoulou
- Re: [Xen-users] Xen 4.2 - Security on Live Migration
  - From: Sylvain Munaut

Prev by Date: Re: [Xen-users] Xen 4.2 - Security on Live Migration
Next by Date: Re: [Xen-users] VGA passthrough radeon 4850 as primary card
Previous by thread: Re: [Xen-users] Xen 4.2 - Security on Live Migration
Next by thread: Re: [Xen-users] [Xen-API] XCP 1.6 beta Ram restriction for pci passthrough to pv Ubuntu 12.04 template
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.