Sorry, quixotic as charged. :^) Your patch is one thing, multi-domain
shared page LAN's are another.
If multi-domain shared page LAN's become more than a proof-of-concept
for your patch, we can worry about it then. You mention the DOS attack,
but there are other problems that have no wired-LAN analog. From Mr.
Minnich, it sounds such a thread already ran its course. I looked
briefly but could not find it in the xen-devel archives.
-steve
-----Original Message-----
From: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:xen-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Rusty
Russell
Sent: Sunday, February 12, 2006 6:33 PM
To: King, Steven R
Cc: xen-devel
Subject: RE: [Xen-devel] [BUNDLE] Testing a simpler inter-domain
transport
On Sun, 2006-02-12 at 15:39 -0800, King, Steven R wrote:
> > Note that like a real LAN, one badly behaved partition can block
> > communication for the others they share the lan with...
>
> Shared page LAN is much less secure than a real LAN. Any domain
> attached to the shared page, i.e. in the LAN, can modify any frame "in
> flight" on the page. Recipients have no confidence that the received
> frame is actually what the sender sent.
Hi Steve,
I don't quite know how to respond to this! Your statement is
true given some assumptions, but not relevent to my implementation,
hence the presence of your assertion in this thread is quixotic.
In my implementation, you can't tell which domain on the LAN a
packet came from, nor do I try to prevent malicious domains on the LAN
from effectively stopping all useful traffic. I believe that
multi-domain access is useful in some scenarious, nonetheless.
Hope that clarifies?
Rusty.
--
ccontrol: http://ozlabs.org/~rusty/ccontrol
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
Home