WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-devel] Re: RFC: virtual network access control

from [Mike Day] [Permanent Link][Original]
To: Reiner Sailer <sailer@xxxxxxxxxx>
Subject: [Xen-devel] Re: RFC: virtual network access control
From: Mike Day <ncmike@xxxxxxxxxx>
Date: Fri, 28 Jul 2006 19:43:20 -0400
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx, xense-devel@xxxxxxxxxxxxxxxxxxx, Bryan D Payne <bdpayne@xxxxxxxxxx>
Delivery-date: Fri, 28 Jul 2006 16:43:50 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <OF4F1B646F.86700717-ON852571B9.005A7C7A-852571B9.005AB707@xxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <409ef10e77d37de5c12024a3cbf3ba7a@xxxxxxxxxxxx> <OF4F1B646F.86700717-ON852571B9.005A7C7A-852571B9.005AB707@xxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.11 
On 28/07/06 12:30 -0400, Reiner Sailer wrote:


  > In terms of cost, an extra hypercall per packet will have measurable
  > cost, at least in CPU usage, for high-bandwidth network transfers.
  >
  >   -- Keir
  >
  You only make the decision once for the first packet exchanged between
  two interfaces. Afterwards you reuse this decision for this interface
  pair (local cache). You basically have the cost of looking up a
  decision locally.


This is a key principle of "shype" - that they hypervisor authorizes
the channel when it to be set up. As long as the channel persists
unchaged (no additional parties, not policy modifications) there is no
need to perform further authorization. It performs a different level
of authorization than packet filtering does, and it is another layer
of depth in a multi-layer defense.

Mike


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-devel] Re: turn off writable page tables, Mike Day
Next by Date:  Re: [Xen-devel] [PATCH][RFC] open HVM backing storage with O_SYNC, Christian Limpach
Previous by Thread:  Re: [Xen-devel] RFC: virtual network access control, Reiner Sailer
Next by Thread:  Re: [Xen-devel] RFC: virtual network access control, Harry Butterworth
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy