Anthony.Golia@MorganStanley.com
2006-Jan-23 22:01 UTC
[Xen-users] what protocol is used for migration
hi. is there a whitepaper that talks about the details of copying the VM image across the network. i.e. is that encrypted in any way? Cheers, Anthony _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Am Montag, 23. Januar 2006 23:01 schrieb Anthony.Golia@morganstanley.com:> hi. is there a whitepaper that talks about the details of copying the VM > image across the network. i.e. is that encrypted in any way?I don''t know if there is a whitepaper available, but for what I can say the transfer is unencrypted at all. I think that is not really a problem, because if you want to migrate vm''s you have to use a san anyway. On a migration only the memory and some states will be send over network. If you use a seperated network for the network attached storage (san), then you can also safely migrate domainUs over the san network without using the "wan" interface of your xen host. You can firewall the migration ports on the wan side or just letting xend bind to the san network interface. Migration domUs over long distance will not work (because you need the current disk data on the other side too and because of the arp/mac-takeover (so you your destination host has to be in the same layer2 network)). I think there is no need for encryption, but if you really need it, why not using a vpn (for example openvpn) for securing network traffic between the both xen hosts? Or in a layer 2 network (what you need to do this anyway) use a dedicated vlan or something like that. There are many possibilities for securing network traffic, xen really doesn''t need to take care of your network security (at least in my humble opinion).> Cheers, > Anthony--Ralph> > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Anthony.Golia@MorganStanley.com
2006-Jan-24 14:45 UTC
Re: [Xen-users] what protocol is used for migration
thx. one can migrate stateless (diskless) domUs that have their storage on NFS and no SAN. forgot about VPNs like ssh tunnel, etc. if the migration protocol uses one or two UDP or TCP ports it would lend itself well to that, thx a lot. On Mon, 23 Jan 2006, Ralph Passgang wrote:> Am Montag, 23. Januar 2006 23:01 schrieb Anthony.Golia@morganstanley.com: > > hi. is there a whitepaper that talks about the details of copying the VM > > image across the network. i.e. is that encrypted in any way? > > I don''t know if there is a whitepaper available, but for what I can say the > transfer is unencrypted at all. > > I think that is not really a problem, because if you want to migrate vm''s you > have to use a san anyway. On a migration only the memory and some states will > be send over network. If you use a seperated network for the network attached > storage (san), then you can also safely migrate domainUs over the san network > without using the "wan" interface of your xen host. You can firewall the > migration ports on the wan side or just letting xend bind to the san network > interface. > > Migration domUs over long distance will not work (because you need the current > disk data on the other side too and because of the arp/mac-takeover (so you > your destination host has to be in the same layer2 network)). I think there > is no need for encryption, but if you really need it, why not using a vpn > (for example openvpn) for securing network traffic between the both xen > hosts? Or in a layer 2 network (what you need to do this anyway) use a > dedicated vlan or something like that. There are many possibilities for > securing network traffic, xen really doesn''t need to take care of your > network security (at least in my humble opinion). > > > Cheers, > > Anthony > > --Ralph > > > > > _______________________________________________ > > Xen-users mailing list > > Xen-users@lists.xensource.com > > http://lists.xensource.com/xen-users > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >Cheers, Anthony _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Also, there is indeed a migration paper: http://www.cl.cam.ac.uk/netos/papers/2005-migration-nsdi-pre.pdf Tim On Tue, 24 Jan 2006 09:45:34 -0500 (EST) Anthony.Golia@MorganStanley.com wrote:> > thx. one can migrate stateless (diskless) domUs that have their storage > on NFS and no SAN. forgot about VPNs like ssh tunnel, etc. if the > migration protocol uses one or two UDP or TCP ports it would lend itself > well to that, thx a lot. > > On Mon, 23 Jan 2006, Ralph Passgang wrote: > > > Am Montag, 23. Januar 2006 23:01 schrieb Anthony.Golia@morganstanley.com: > > > hi. is there a whitepaper that talks about the details of copying the VM > > > image across the network. i.e. is that encrypted in any way? > > > > I don''t know if there is a whitepaper available, but for what I can say the > > transfer is unencrypted at all. > > > > I think that is not really a problem, because if you want to migrate vm''s > > you have to use a san anyway. On a migration only the memory and some states > > will be send over network. If you use a seperated network for the network > > attached storage (san), then you can also safely migrate domainUs over the > > san network without using the "wan" interface of your xen host. You can > > firewall the migration ports on the wan side or just letting xend bind to > > the san network interface. > > > > Migration domUs over long distance will not work (because you need the > > current disk data on the other side too and because of the arp/mac-takeover > > (so you your destination host has to be in the same layer2 network)). I > > think there is no need for encryption, but if you really need it, why not > > using a vpn (for example openvpn) for securing network traffic between the > > both xen hosts? Or in a layer 2 network (what you need to do this anyway) > > use a dedicated vlan or something like that. There are many possibilities > > for securing network traffic, xen really doesn''t need to take care of your > > network security (at least in my humble opinion). > > > > > Cheers, > > > Anthony > > > > --Ralph > > > > > > > > _______________________________________________ > > > Xen-users mailing list > > > Xen-users@lists.xensource.com > > > http://lists.xensource.com/xen-users > > > > _______________________________________________ > > Xen-users mailing list > > Xen-users@lists.xensource.com > > http://lists.xensource.com/xen-users > > > > > > > Cheers, > Anthony > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Anthony.Golia@MorganStanley.com wrote:>thx. one can migrate stateless (diskless) domUs that have their storage >on NFS and no SAN. forgot about VPNs like ssh tunnel, etc. if the >migration protocol uses one or two UDP or TCP ports it would lend itself >well to that, thx a lot. > >The problem with using a tunnel is that without appropriate throttling you''ll eat up a lot of CPU since you''re copying a lot of data over the wire. The protocol is very simplistic btw, pages (with their addresses) are sent over the wire and then finalized by transfering the configuration over. There are no protections against any sort of man-in-the-middle either so it''s quite trivial to inject random badness into vms as they''re migrated. There is no authorization either for instantiating virtual machine migrations. If you''ve got got relocation enable, you should have it bound to a secure and isolated physical lan. Otherwise, you''ve got a security nightmare... Regards, Anthony Liguori>On Mon, 23 Jan 2006, Ralph Passgang wrote: > > > >>Am Montag, 23. Januar 2006 23:01 schrieb Anthony.Golia@morganstanley.com: >> >> >>>hi. is there a whitepaper that talks about the details of copying the VM >>>image across the network. i.e. is that encrypted in any way? >>> >>> >>I don''t know if there is a whitepaper available, but for what I can say the >>transfer is unencrypted at all. >> >>I think that is not really a problem, because if you want to migrate vm''s you >>have to use a san anyway. On a migration only the memory and some states will >>be send over network. If you use a seperated network for the network attached >>storage (san), then you can also safely migrate domainUs over the san network >>without using the "wan" interface of your xen host. You can firewall the >>migration ports on the wan side or just letting xend bind to the san network >>interface. >> >>Migration domUs over long distance will not work (because you need the current >>disk data on the other side too and because of the arp/mac-takeover (so you >>your destination host has to be in the same layer2 network)). I think there >>is no need for encryption, but if you really need it, why not using a vpn >>(for example openvpn) for securing network traffic between the both xen >>hosts? Or in a layer 2 network (what you need to do this anyway) use a >>dedicated vlan or something like that. There are many possibilities for >>securing network traffic, xen really doesn''t need to take care of your >>network security (at least in my humble opinion). >> >> >> >>>Cheers, >>>Anthony >>> >>> >>--Ralph >> >> >> >>>_______________________________________________ >>>Xen-users mailing list >>>Xen-users@lists.xensource.com >>>http://lists.xensource.com/xen-users >>> >>> >>_______________________________________________ >>Xen-users mailing list >>Xen-users@lists.xensource.com >>http://lists.xensource.com/xen-users >> >> >> > > > > >Cheers, >Anthony > >_______________________________________________ >Xen-users mailing list >Xen-users@lists.xensource.com >http://lists.xensource.com/xen-users > > >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users