[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Xen-devel] RFC: virtual network access control
The problem: domain0 does not enforce
the access control policy on network packets that it forwards between different
We would like to propose a solution
that solves this problem now. Next generation security enhancements may
present better ways to solve this problem and we are looking forward to
contributing to them as well.
Looking at options for a solution for
the current version of Xen, we propose netback as the place to enforce
the policy. XM tools are not in the network path and do not resolve this
problem. Therefore, this problem is different from the general resource
access control problem (eg. blockback).
We also thought of extending packet
filtering on MAC or IP level but it these options add new software package
dependencies, e.g., ebtables or iptables. In addition, re-using existing
iptables filters would require switching off the bridge and managing point-to-point
rules for a potentially large number of user domains.
We appreciate feedback on the netback
approach and we are open to other suggestions that solve this problem.
Xen-devel mailing list