WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xense-devel

Re: [Xen-devel] RFC: virtual network access control


On 28 Jul 2006, at 15:17, Reiner Sailer wrote:

 Sounds like you want to implement a primitive firewall in netback
> simply to avoid a dependency on the existing mechanisms that Linux has. > That doesn't sound a good tradeoff to me, and I think it's unlikely to
 > fly with the kernel maintainers.

We are interested in controlling access based on the security labels of sender and receiver domains, not based on IP or other traditional firewall packet attributes.

But the access-control decision must ultimately be made based on network-packet attributes. At the level of packet forwarding you only have details like the IP address to base your decision on. Presumably you map that into the 'security label' namespace, and thus make your decision. Well, you can do that at policy instantiation time, or network-interface creation time, by mapping from 'security labels' to details such as IP addresses, and then poke down firewall rules.

 > The only problem I can see with relying on iptables (other than
> requiring it to be installed) is that it becomes harder to configure if
 > netback is in a driver domain. Possibly we need to come up with some
> xenstore<->iptables interface (e.g., run an interfacing daemon in the
 > same domain as netback).

We see other problems as well: IPtables seems to not see any of the ethernet-bridged packets. If you wanted to use IPtables then you
would need to replace the ethernet bridge with routing each packet.

We support routing: we provide scripts out of the box for this, it's just not the default (Ethernet bridging 'just works' in many situations, which we think is an important consideration [and one that often works against the aims of the security conscious :-)]).

 -- Keir


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel