Hi, In Xen, by default the domains are configured to use bridge (with network-bridge script). But there is network-route, and this option also allows us to connect domains. But I don''t see what is the advantage of Route config over Bridge. In which case we should use Route method instead? Thanks. H _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Thursday 08 June 2006 21:02, NAHieu wrote:> Hi, > > In Xen, by default the domains are configured to use bridge (with > network-bridge script). But there is network-route, and this option > also allows us to connect domains. > > But I don''t see what is the advantage of Route config over Bridge. In > which case we should use Route method instead?I''m using the route method in order to have a server with N services .. some of these services are splitted onto different domUs (say web, mail, db, etc).... dom0 is the gw and FW for domUs networking, it masquerades domUs and let them to talk each other when (and only when) it is required. For example webmail-domU can connect to mail-domU for imap and pop3 protocols and nothing else... -- Dr. Emiliano Gabrielli - Responsabile Divisione Informatica email: emiliano.gabrielli@deArchitettura.com deArchitettura.com Via Francesco Tovaglieri, 411 - 00155 Roma tel: 0645438979 | fax: 0645438980 | url: www.deArchitettura.com _________________________________________________________________________ CONFIDENZIALE: Le informazioni contenute nella presente comunicazione ed i relativi allegati sono confidenziali e riservati. Se avete ricevuto questo messaggio per errore, vi preghiamo di distruggerlo e di informarci immediatamente all''indirizzo email info@deArchitettura.com Ai sensi del D.Lgs. 196/2003 sulla privacy e dell''art. 616 del c.p. รจ proibita qualsiasi forma di riproduzione o divulgazione del documento trasmesso, senza l''esplicito consenso di deArchitettura.com _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
NAHieu wrote:> In Xen, by default the domains are configured to use bridge (with > network-bridge script). But there is network-route, and this option > also allows us to connect domains. > > But I don''t see what is the advantage of Route config over Bridge. In > which case we should use Route method instead?network-route script pros: - complete control of network traffic from each domU - bridge-utils not needed network-route cons: - dom0 must become router for all domUs. - harder to isolate dom0 - wastes IP addresses - xen script ip addressing and routing can be difficult to understand network-bridge pros: - easier concepts to understand - all domUs can utilize existing LAN DHCP services to obtain address - allows user the flexibility to create additional, isolate vlan internal infrastructure that only the domUs can access. - dom0 can be totally isolated, or just protect itself with firewall sw network-bridge cons: - dom0 still involved in handling all domU packets, via bridge-utils, instead of routing stack. firewall sw must be xen aware - harder to firewall each domU from each other, each domU has to protect itself _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> In Xen, by default the domains are configured to use bridge (with > network-bridge script). But there is network-route, and this option > also allows us to connect domains. > > But I don''t see what is the advantage of Route config over Bridge. In > which case we should use Route method instead?Bridging is perfectly fine in many cases, but when you have untrusted DomU, routing can be preferable. Routing establishes a healthy level of distrust to your network stack. - Do trust dom01 to not assign itself IPs assigned to dom02 ? - Do I want a firewall between dom01 and dom02 ? - Do I want dom01''s web access sent to a transparent proxy, but not dom02''s web access? These are questions that can be solved by routing. Finally, I should note that bridges aren''t completely lost in terms of security, ebtables is far from useless, but it isn''t as flexible as routing. -- Eric Windisch _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
I got few explains on the pros and cons of bridge and route method.Thank you for all the helps. So generally I understand that on of the major differences between these approaches is that Bridge method works at layer 2, while Route method works at layer 3 (OSI). Another question is: if I want to make a firewall to protect DomUs, then: - Any tools readily vailable for Bridge config? - Any tools readily available for Route config? Any pointer to documentation/example would be appreciated. Many thanks. H - On 6/10/06, Eric Windisch <lists@bwbohh.net> wrote:> > > In Xen, by default the domains are configured to use bridge (with > > network-bridge script). But there is network-route, and this option > > also allows us to connect domains. > > > > But I don''t see what is the advantage of Route config over Bridge. In > > which case we should use Route method instead? > > Bridging is perfectly fine in many cases, but when you have untrusted > DomU, routing can be preferable. > > Routing establishes a healthy level of distrust to your network stack. > > - Do trust dom01 to not assign itself IPs assigned to dom02 ? > - Do I want a firewall between dom01 and dom02 ? > - Do I want dom01''s web access sent to a transparent proxy, but not > dom02''s web access? > > These are questions that can be solved by routing. Finally, I should > note that bridges aren''t completely lost in terms of security, ebtables > is far from useless, but it isn''t as flexible as routing. > > -- > Eric Windisch > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Emiliano Gabrielli (aka AlberT)
2006-Jun-12 09:36 UTC
Re: [Xen-users] Bridge vs. Route configuration?
On Sunday 11 June 2006 17:25, NAHieu wrote:> - Any tools readily available for Route config? > > Any pointer to documentation/example would be appreciated.I successfully use shorewall3 in dom0 to completely controll traffic to/from net from/to domU and among domUs -- <?php echo '' Emiliano Gabrielli (aka AlberT) '',"\n", '' socio fondatore e membro del direttivo del GrUSP '',"\n", '' AlberT_at_SuperAlberT_it - www.SuperAlberT.it '',"\n", '' IRC: #php,#AES azzurra.com '',"\n",''ICQ: 158591185''; ?> _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users