| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
Re: [Xen-users] Live Migration Config
Alan Greenspan wrote:
>You can't have dom0s on a hostile network if you want to prevent
these "rogue
>>migrations". Note that you can't force an outgoing migration from a
node, so
>nobody can "steal" your running domUs. However, if someone gets on a
segment
>of network that can reach your dom0s they could send you some domUs
of their
...
>own - shouldn't be a security issue (the domUs will still be isolated
by Xen)
>but could get quite annoying ;-)
It's actually a huge security hole since a migrating domU carries its
device mappings to the target machine. Basically, you could create
domU, map one of its disks to say /dev/hdb, migrate it to a target
machine and gain access to /dev/hdb on the target. Same goes for any
file used as a disk on the source/target dom0.
The migration port should be firewalled if dom0 is connected to an
untrusted network.
Minimally, Xen should implement a simple hosts.allow hosts.deny
mechanism for migration so that a host can limit which other hosts can
migrate in. Relying on network isolation using a separate management
network isn't always practical.
This can be achieved with iptables.
Host level access control is generally a weak security mechanism. It's
far too easy to spoof or steal ip addresses.
Regards,
Anthony Liguori
Alan
------------------------------------------------------------------------
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
| |
|
Home
xen.org, 