[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Live Migration Config


  • To: <xen-users@xxxxxxxxxxxxxxxxxxx>
  • From: "Alan Greenspan" <alan@xxxxxxxxxxx>
  • Date: Fri, 28 Oct 2005 15:24:53 -0400
  • Delivery-date: Fri, 28 Oct 2005 19:22:16 +0000
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

>You can't have dom0s on a hostile network if you want to prevent these "rogue
>>migrations".  Note that you can't force an outgoing migration from a node, so
>nobody can "steal" your running domUs.  However, if someone gets on a segment
>of network that can reach your dom0s they could send you some domUs of their
...
>own - shouldn't be a security issue (the domUs will still be isolated by Xen)
>but could get quite annoying ;-)
 
It's actually a huge security hole since a migrating domU carries its device mappings to the target machine.   Basically, you  could create domU, map one of its disks to say /dev/hdb, migrate it to a target machine and gain access to /dev/hdb on the target.   Same goes for any file used as a disk on the source/target dom0.
 
Minimally, Xen should implement a simple hosts.allow hosts.deny mechanism for migration so that a host can limit which other hosts can migrate in.   Relying on network isolation using a separate management network isn't always practical.
 
Alan

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.