WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Bridge vs. Route configuration?

from [Eric Windisch] [Permanent Link][Original]
To: NAHieu <nahieu@xxxxxxxxx>
Subject: Re: [Xen-users] Bridge vs. Route configuration?
From: Eric Windisch <lists@xxxxxxxxxx>
Date: Fri, 09 Jun 2006 11:47:33 -0400
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 09 Jun 2006 08:48:26 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <5d7aca950606081202i13d8dadep577a394055764194@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <5d7aca950606081202i13d8dadep577a394055764194@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.4 (Macintosh/20060530) 


In Xen, by default the domains are configured to use bridge (with
network-bridge script). But there is network-route, and this option
also allows us to connect domains.

But I don't see what is the advantage of Route config over Bridge. In
which case we should use Route method instead?
Bridging is perfectly fine in many cases, but when you have untrusted DomU, routing can be preferable. 

Routing establishes a healthy level of distrust to your network stack.

- Do trust dom01 to not assign itself IPs assigned to dom02 ?
- Do I want a firewall between dom01 and dom02 ?
- Do I want dom01's web access sent to a transparent proxy, but not dom02's web access?
These are questions that can be solved by routing. Finally, I should note that bridges aren't completely lost in terms of security, ebtables is far from useless, but it isn't as flexible as routing. 

--
Eric Windisch

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-users] Kernel panic: Unable to handle kernel paging request, Eric Windisch
Next by Date:  [Xen-users] What is possible with vlan and xen ?, Thomas von Steiger
Previous by Thread:  Re: [Xen-users] Bridge vs. Route configuration?, Emiliano Gabrielli
Next by Thread:  Re: [Xen-users] Bridge vs. Route configuration?, NAHieu
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy