Re: [Xen-users] Live Migration Config

>You can't have dom0s on a hostile network if you want to prevent these "rogue
>>migrations". Note that you can't force an outgoing migration from a node, so
>nobody can "steal" your running domUs. However, if someone gets on a segment
>of network that can reach your dom0s they could send you some domUs of their

...
>own - shouldn't be a security issue (the domUs will still be isolated by Xen)
>but could get quite annoying ;-)

It's actually a huge security hole since a migrating domU carries its device mappings to the target machine. Basically, you could create domU, map one of its disks to say /dev/hdb, migrate it to a target machine and gain access to /dev/hdb on the target. Same goes for any file used as a disk on the source/target dom0.

Minimally, Xen should implement a simple hosts.allow hosts.deny mechanism for migration so that a host can limit which other hosts can migrate in. Relying on network isolation using a separate management network isn't always practical.

Alan

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:

[Xen-users] dual vif per domain troubles, Patrick Deelman

Next by Date:

Re: [Xen-users] creating a domU with a particular UUID with xen-unstable, Anthony Liguori

Previous by Thread:

[Xen-users] Re: Live Migration Config, Charles Duffy

Next by Thread:

Re: [Xen-users] Live Migration Config, Anthony Liguori

Indexes:

[Date] [Thread] [Top] [All Lists]