[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Xen-devel] RFC: virtual network access control
On 28 Jul 2006, at 15:56, Reiner Sailer wrote:
We propose to make access control decisions for packets based on the
domain id-s of sender and receiver (available in the netback
interfaces). sHype/ACM already offers a hypercall to retrieve a policy
decision based on two domain id-s.
This does not require to map static policy rules onto dynamic IP
addresses / MAC addresses or to rely on any packet content that is
crafted in user domains (which the ACM does not trust).
You mean tag a packet when it arrives from a source domain and then use
that if/when it boomerangs back at you on a different virtual
In terms of cost, an extra hypercall per packet will have measurable
cost, at least in CPU usage, for high-bandwidth network transfers.
Xen-devel mailing list