WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] NFS and interface security

from [Ian Pratt] [Permanent Link][Original]
To: stevegt@xxxxxxxxxxxxx
Subject: Re: [Xen-devel] NFS and interface security
From: Ian Pratt <Ian.Pratt@xxxxxxxxxxxx>
Date: Sat, 17 Jan 2004 19:01:05 +0000
Cc: xen-devel@xxxxxxxxxxxxxxxxxxxxx, Ian.Pratt@xxxxxxxxxxxx
Delivery-date: Sat, 17 Jan 2004 19:02:50 +0000
Envelope-to: steven.hand@xxxxxxxxxxxx
In-reply-to: Your message of "Sat, 17 Jan 2004 08:04:41 PST." <20040117160441.GO2992@pathfinder>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx 
> Two Xen features I like very much:
> - Virtual domains can't see each others' traffic via 'tcpdump', which
>   means that, for instance, guests using NFS root partitions are
>   relatively isolated from each other on the wire. 
> - In a virtual domain, I can't simply 'ifconfig eth0:1 ip.on.my.lan' and
>   expect it to route; i.e. virtual domains can't steal IP addresses.
> 
> Kudos to whoever made this work right.  Am I correct in my
> interpretations here?  I.e. is this as secure as it looks?

Xen is intended to provide secure isolation; your observations
are correct.
 
> There's a note in TODO that says "The current virtual firewall/router is
> completely broken."  Is this still valid?

Things will be even better in the next version of the VFR ;-)
We will have L4 routing support to enable safe IP address sharing
(think RSIP).

Ian


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-devel] Cannot open root device for dom0, stevegt
Next by Date:  [Xen-devel] xentop, anyone?, stevegt
Previous by Thread:  [Xen-devel] NFS and interface security, stevegt
Next by Thread:  [Xen-devel] xentop, anyone?, stevegt
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy