|
|
|
|
|
|
|
|
|
|
xense-devel
Re: [Xen-devel] RFC: virtual network access control
On 28 Jul 2006, at 15:56, Reiner Sailer wrote:
We propose to make access control decisions for packets based on the
domain id-s of sender and receiver (available in the netback
interfaces). sHype/ACM already offers a hypercall to retrieve a policy
decision based on two domain id-s.
This does not require to map static policy rules onto dynamic IP
addresses / MAC addresses or to rely on any packet content that is
crafted in user domains (which the ACM does not trust).
You mean tag a packet when it arrives from a source domain and then use
that if/when it boomerangs back at you on a different virtual
interface?
In terms of cost, an extra hypercall per packet will have measurable
cost, at least in CPU usage, for high-bandwidth network transfers.
-- Keir
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
|
|
|
|