From: George Dunlap <george.dunlap@eu.citrix.com>
To: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: Dario Faggioli <dario.faggioli@citrix.com>,
Zhigang Wang <zhigang.x.wang@oracle.com>,
publicity@lists.xenproject.org,
xen-devel <xen-devel@lists.xen.org>
Subject: Re: Suggestion for merging xl save/restore/migrate/migrate-receive
Date: Tue, 17 Sep 2013 11:07:10 +0100 [thread overview]
Message-ID: <523829CE.6020509@eu.citrix.com> (raw)
In-Reply-To: <21048.8272.465544.579024@mariner.uk.xensource.com>
On 09/17/2013 10:26 AM, Ian Jackson wrote:
> George Dunlap writes ("Re: [Xen-devel] Suggestion for merging xl save/restore/migrate/migrate-receive"):
>> On 09/16/2013 06:41 PM, Zhigang Wang wrote:
>>> ... Also after this, all Servers in a pool can login to each
>>> other. I don't know whether it's a security issue for our product.
>>>
>>> This is something we try to avoid at this time.
>>
>> ...so instead of allowing anyone on one of the hosts log in, you're
>> going to allow anyone with access to the network to create a VM without
>> any kind of authentication?
>>
>> From a security perspective, that doesn't really sound like an
>> improvement...
>
> Note that if host B allows incoming migrations from host A, then host
> B is trusting host A completely. This is because the migration data
> contains not just the guest's state (which is of course encapsulated
> inside the Xen VM security boundary), but also the VM configuration.
> The VM configuration specifies the mapping between guest resources and
> host resources.
>
> So host B trusts host A to specify the correct set of host B's own
> resources to expose to the guest VM. If host A is malicious it can
> send a VM whose configuration specifies (for example) that the whole
> of host B's disk is to be exposed to the guest, along with a guest
> which will make whatever malicious changes host A desires.
>
> In summary: accepting incoming migration images is just as dangerous
> as allowing root login (from the same source host). So switching the
> transport from ssh to unauthenticated ssl makes the security against
> malicious migration source hosts strictly worse.
>
> The only way unauthenticated ssl is better than simply unauthenticated
> unencrypted TCP is protection against passive eavesdropping. This is
> important for much general traffic on the public Internet (see recent
> revelations about widespread eavesdropping), but probably not relevant
> for the control plane of a VM hosting setup. If your control plane
> network has bad people on it, you need authentication as well as
> encryption.
>
>
> So I don't think we should be adding new code to xl which might
> encourage the use of ssl. The proposed format-string based template
> would be OK, but I think really that we should have better (more
> convenient) support for unencrypted migration.
>
> Things that would be helpful:
And once we get all this sorted out, a blog post and/or wiki page with
the issues, the options as they exist in the most recent release, and
the options as they will exist in the next release, would be helpful.
-George
next prev parent reply other threads:[~2013-09-17 10:07 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-13 16:04 Suggestion for merging xl save/restore/migrate/migrate-receive Zhigang Wang
2013-09-16 10:04 ` George Dunlap
2013-09-16 15:51 ` Zhigang Wang
2013-09-16 16:05 ` George Dunlap
2013-09-16 16:07 ` George Dunlap
2013-09-16 16:20 ` Ian Jackson
2013-09-16 16:40 ` George Dunlap
2013-09-16 17:06 ` Ian Jackson
2013-09-16 17:21 ` Zhigang Wang
2013-09-16 17:41 ` Zhigang Wang
2013-09-16 20:42 ` Ian Campbell
2013-09-16 20:51 ` Zhigang Wang
2013-09-17 8:25 ` George Dunlap
2013-09-17 9:26 ` Ian Jackson
2013-09-17 10:07 ` George Dunlap [this message]
2013-09-17 13:44 ` Zhigang Wang
2013-09-24 16:46 ` Konrad Rzeszutek Wilk
2013-09-25 10:06 ` George Dunlap
2013-10-03 2:19 ` Matt Wilson
2013-10-03 13:34 ` Zhigang Wang
2013-09-17 10:28 ` George Dunlap
2013-09-17 10:45 ` Processed: " xen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=523829CE.6020509@eu.citrix.com \
--to=george.dunlap@eu.citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=dario.faggioli@citrix.com \
--cc=publicity@lists.xenproject.org \
--cc=xen-devel@lists.xen.org \
--cc=zhigang.x.wang@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.