WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Xen
Home Products Support Community News

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
<prev [Thread] next>

Re: [Xen-users] Re: Network isolation - PCI passthrough question

from [Jean Baptiste FAVRE] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Re: Network isolation - PCI passthrough question
From: Jean Baptiste FAVRE <xen-users@xxxxxxxxxxx>
Date: 2010年12月21日 20:21:15 +0100
Delivery-date: 2010年12月21日 11:21:21 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <p06240847c936a72f9107@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4D0F6353.9020305@xxxxxxxxxxx> <ienqak$hic1ドル@xxxxxxxxxxxxxxx> <4D0F6E75.9060704@xxxxxxxxxxx> <ienv5g$bdh1ドル@xxxxxxxxxxxxxxx> <4D0F8314.4020908@xxxxxxxxxxx> <ieo1ei$nnd1ドル@xxxxxxxxxxxxxxx> <4D0FB526.6080906@xxxxxxxxxxxxxxx> <4D0FCE60.4030500@xxxxxxxxxxx> <4D0FDC85.5000306@xxxxxxxxxxxxxxx> <4D1062AB.4010209@xxxxxxxxxxx> <p06240847c936a72f9107@xxxxxxxxxxxxxxxxxxxxxx>
Reply-to: xen-users@xxxxxxxxxxxxxxxxxxx
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101213 Lightning/1.0b2 Icedove/3.1.7 
Le 21/12/2010 19:53, Simon Hobson a écrit :
> Jean Baptiste FAVRE wrote:
>
>> I understand what you mean. But even if dom0 has no interface bridged, I
>> think I'll be able to listen to network traffic, no ?
> ...
>> I want to mitigate consequences if dom0 get compromised, that's why I'm
>> trying to isolate network.
>
> All traffic passes through a process in Dom0 - that's just the way it's
> been built. But bear this in mind, if your Dom0 is compromised then
> EVERYTHING running on that physical machine is also compromised. If you
> control Dom0, you have access to all the guests, their memory, and their
> disks - as well as their network traffic.
>
> In other words, worrying about someone being able to sniff network
> traffic when they've compromised your Dom0 is a bit like the captain of
> the Titanic worrying about someone helping themselves at the bar while
> the crew are distracted by an iceberg !
Hello Simon,
Well, didn't saw things like that, but must admit you're right :)
And since I don't want to be the captain of the Titanic, I think
protecting dom0 from direct access with my firewall domU is better than
nothing.
Thanks all of you for helping me better understanding of Xen !
I'll now make my tests, write documentation and publish it. Will keep
you updated.
Regards,
JB
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date: Re: [Xen-users] Re: Network isolation - PCI passthrough question , Simon Hobson
Next by Date: Re: [Xen-users] Finding free memory , Todd Deshane
Previous by Thread: Re: [Xen-users] Re: Network isolation - PCI passthrough question , Simon Hobson
Next by Thread: [Xen-users] Re: Network isolation - PCI passthrough question , dmw
Indexes: [Date] [Thread] [Top] [All Lists]

Copyright ©, Citrix Systems Inc. All rights reserved. Legal and Privacy
Citrix This site is hosted by Citrix

AltStyle によって変換されたページ (->オリジナル) /