From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1LKeLE-0004QC-0i for qemu-devel@nongnu.org; Wed, 07 Jan 2009 14:45:24 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1LKeLC-0004Q0-Lm for qemu-devel@nongnu.org; Wed, 07 Jan 2009 14:45:23 -0500 Received: from [199.232.76.173] (port=60982 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1LKeLC-0004Px-D4 for qemu-devel@nongnu.org; Wed, 07 Jan 2009 14:45:22 -0500 Received: from mx2.redhat.com ([66.187.237.31]:34514) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1LKeLC-0001ip-0V for qemu-devel@nongnu.org; Wed, 07 Jan 2009 14:45:22 -0500 Received: from int-mx2.corp.redhat.com (int-mx2.corp.redhat.com [172.16.27.26]) by mx2.redhat.com (8.13.8/8.13.8) with ESMTP id n07JjLs1031141 for ; Wed, 7 Jan 2009 14:45:21 -0500 Received: from ns3.rdu.redhat.com (ns3.rdu.redhat.com [10.11.255.199]) by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n07JjLVf029150 for ; Wed, 7 Jan 2009 14:45:21 -0500 Received: from dhcp-1-237.tlv.redhat.com (dhcp-1-237.tlv.redhat.com [10.35.1.237]) by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id n07JjK7F004323 for ; Wed, 7 Jan 2009 14:45:20 -0500 Date: Wed, 7 Jan 2009 21:46:33 +0200 From: Gleb Natapov Subject: Re: [Qemu-devel] [PATCH] mark nic as trusted Message-ID: <20090107194633.GB19406@redhat.com> References: <20090107142626.GE3267@redhat.com> <4964D98B.6030404@codemonkey.ws> <20090107165050.GI3267@redhat.com> <4964EC2B.1080406@codemonkey.ws> <4964EC55.4000507@codemonkey.ws> <20090107184103.GA19406@redhat.com> <496501CD.8060202@codemonkey.ws> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <496501CD.8060202@codemonkey.ws> Reply-To: qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org On Wed, Jan 07, 2009 at 01:26:05PM -0600, Anthony Liguori wrote: > Gleb Natapov wrote: >> On Wed, Jan 07, 2009 at 11:54:29AM -0600, Anthony Liguori wrote: >> >>> Anthony Liguori wrote: >>> >>>>> That is for secure guest<->host communication over network. Guest has to >>>>> know somehow which link host uses for communication. If guest has no way >>>>> to know this, another computer on untrusted network can pretend >>>>> it is real >>>>> host and "own" a guest. >>>> So this is for vmchannel? How do you differentiate a real device >>>> with that bit set compared to the vmchannel device? >>>> >>> Like if you were doing PCI passthrough of an e1000... >>> >>> >> It's not just one bit. It is 14 byte string. We can put something unique there. >> > > This is for vmchannel? Why not add a feature to virtio-net? > Yes. This is for vmchannel. Or any other management solution that work over network. It has to know what network it can trust. The alternative is much more complex (security certificates, etc). Why do it virtio-net specific? What's wrong with more general solution? -- Gleb.