|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Live Migration Config
Alan Greenspan wrote: >You can't have dom0s on a hostile network if you want to prevent these "rogue >>migrations". Note that you can't force an outgoing migration from a node, so >nobody can "steal" your running domUs. However, if someone gets on a segment >of network that can reach your dom0s they could send you some domUs of their...>own - shouldn't be a security issue (the domUs will still be isolated by Xen)>but could get quite annoying ;-)It's actually a huge security hole since a migrating domU carries its device mappings to the target machine. Basically, you could create domU, map one of its disks to say /dev/hdb, migrate it to a target machine and gain access to /dev/hdb on the target. Same goes for any file used as a disk on the source/target dom0. The migration port should be firewalled if dom0 is connected to an untrusted network. Minimally, Xen should implement a simple hosts.allow hosts.deny mechanism for migration so that a host can limit which other hosts can migrate in. Relying on network isolation using a separate management network isn't always practical. This can be achieved with iptables.Host level access control is generally a weak security mechanism. It's far too easy to spoof or steal ip addresses. Regards, Anthony Liguori Alan------------------------------------------------------------------------ _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |