Two Xen features I like very much: - Virtual domains can''t see each others'' traffic via ''tcpdump'', which means that, for instance, guests using NFS root partitions are relatively isolated from each other on the wire. - In a virtual domain, I can''t simply ''ifconfig eth0:1 ip.on.my.lan'' and expect it to route; i.e. virtual domains can''t steal IP addresses. Kudos to whoever made this work right. Am I correct in my interpretations here? I.e. is this as secure as it looks? There''s a note in TODO that says "The current virtual firewall/router is completely broken." Is this still valid? Steve -- Stephen G. Traugott (KG6HDQ) UNIX/Linux Infrastructure Architect, TerraLuna LLC stevegt@TerraLuna.Org http://www.stevegt.com -- http://Infrastructures.Org ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
> Two Xen features I like very much: > - Virtual domains can''t see each others'' traffic via ''tcpdump'', which > means that, for instance, guests using NFS root partitions are > relatively isolated from each other on the wire. > - In a virtual domain, I can''t simply ''ifconfig eth0:1 ip.on.my.lan'' and > expect it to route; i.e. virtual domains can''t steal IP addresses. > > Kudos to whoever made this work right. Am I correct in my > interpretations here? I.e. is this as secure as it looks?Xen is intended to provide secure isolation; your observations are correct.> There''s a note in TODO that says "The current virtual firewall/router is > completely broken." Is this still valid?Things will be even better in the next version of the VFR ;-) We will have L4 routing support to enable safe IP address sharing (think RSIP). Ian ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel