WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Live Migration Config

To: Alan Greenspan <alan@xxxxxxxxxxx>
Subject: Re: [Xen-users] Live Migration Config
From: Anthony Liguori <aliguori@xxxxxxxxxx>
Date: Fri, 28 Oct 2005 15:03:06 -0500
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 28 Oct 2005 20:00:22 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <004001c5dbf5$45ccfe60$600318ac@xxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <004001c5dbf5$45ccfe60$600318ac@xxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0.7 (X11/20051013)
Alan Greenspan wrote:

>You can't have dom0s on a hostile network if you want to prevent these "rogue >>migrations". Note that you can't force an outgoing migration from a node, so >nobody can "steal" your running domUs. However, if someone gets on a segment >of network that can reach your dom0s they could send you some domUs of their
...
>own - shouldn't be a security issue (the domUs will still be isolated by Xen)
>but could get quite annoying ;-)
It's actually a huge security hole since a migrating domU carries its device mappings to the target machine. Basically, you could create domU, map one of its disks to say /dev/hdb, migrate it to a target machine and gain access to /dev/hdb on the target. Same goes for any file used as a disk on the source/target dom0.

The migration port should be firewalled if dom0 is connected to an untrusted network.

Minimally, Xen should implement a simple hosts.allow hosts.deny mechanism for migration so that a host can limit which other hosts can migrate in. Relying on network isolation using a separate management network isn't always practical.

This can be achieved with iptables.

Host level access control is generally a weak security mechanism. It's far too easy to spoof or steal ip addresses.

Regards,

Anthony Liguori

Alan

------------------------------------------------------------------------

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users