This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] NFS and interface security

To: stevegt@xxxxxxxxxxxxx
Subject: Re: [Xen-devel] NFS and interface security
From: Ian Pratt <Ian.Pratt@xxxxxxxxxxxx>
Date: Sat, 17 Jan 2004 19:01:05 +0000
Cc: xen-devel@xxxxxxxxxxxxxxxxxxxxx, Ian.Pratt@xxxxxxxxxxxx
Delivery-date: Sat, 17 Jan 2004 19:02:50 +0000
Envelope-to: steven.hand@xxxxxxxxxxxx
In-reply-to: Your message of "Sat, 17 Jan 2004 08:04:41 PST." <20040117160441.GO2992@pathfinder>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
> Two Xen features I like very much:
> - Virtual domains can't see each others' traffic via 'tcpdump', which
>   means that, for instance, guests using NFS root partitions are
>   relatively isolated from each other on the wire. 
> - In a virtual domain, I can't simply 'ifconfig eth0:1 ip.on.my.lan' and
>   expect it to route; i.e. virtual domains can't steal IP addresses.
> Kudos to whoever made this work right.  Am I correct in my
> interpretations here?  I.e. is this as secure as it looks?

Xen is intended to provide secure isolation; your observations
are correct.
> There's a note in TODO that says "The current virtual firewall/router is
> completely broken."  Is this still valid?

Things will be even better in the next version of the VFR ;-)
We will have L4 routing support to enable safe IP address sharing
(think RSIP).


The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
Xen-devel mailing list

<Prev in Thread] Current Thread [Next in Thread>