[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Xen-devel] RFC: virtual network access control
On 28 Jul 2006, at 15:56, Reiner Sailer wrote:
We propose to make access control decisions for packets based on the domain id-s of sender and receiver (available in the netback interfaces). sHype/ACM already offers a hypercall to retrieve a policy decision based on two domain id-s.This does not require to map static policy rules onto dynamic IP addresses / MAC addresses or to rely on any packet content that is crafted in user domains (which the ACM does not trust).
You mean tag a packet when it arrives from a source domain and then use that if/when it boomerangs back at you on a different virtual interface?
In terms of cost, an extra hypercall per packet will have measurable cost, at least in CPU usage, for high-bandwidth network transfers.
-- Keir _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
Lists.xenproject.org is hosted with RackSpace, monitoring our