From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dario Faggioli Subject: Re: Deployment usage and performance of a network domain Date: Thu, 8 Jun 2017 19:07:28 +0200 Message-ID: <1496941648.26212.4.camel@citrix.com> References: <593943F5.3030108@sec.t-labs.tu-berlin.de> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7761520034924932613==" Return-path: In-Reply-To: <593943F5.3030108@sec.t-labs.tu-berlin.de> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" To: Kashyap Thimmaraju , xen-devel@lists.xen.org Cc: George Dunlap List-Id: xen-devel@lists.xenproject.org --===============7761520034924932613== Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="=-bizJKaTnuiatB0GxyL9i" --=-bizJKaTnuiatB0GxyL9i Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, 2017-06-08 at 14:32 +0200, Kashyap Thimmaraju wrote: > Hi, >=20 > I'm Kashyap Thimmaraju, a second year PhD student at TU Berlin in > Germany. This is my first post here, and I'm a Xen newbie. >=20 > I saw George Dunlap's presentation "Securing Your Xen-Based Cloud" at > the LinuxCon on youtube recently as I am interested in using the > driver domain for networking. >=20 > In the presentation he proposed placing the network driver=C2=A0=C2=A0and > forwarding functionality (bridge, iptables, etc.) into a (network) > driver domain. This is indeed good for security. >=20 > However, I am curious if people are really adopting such an approach. > Are there cloud providers or PV vendors deploying such an > architecture? If so, is there any impact on the networking > performance > of say VM-VM or VM-Internet traffic? >=20 I'm not aware of any cloud providers doing that (but, that's mostly because there's not much info about how cloud providers configure their infrastructure). Driver domains and stubdomains are hugely used in contexts targeting really strong security, like Qubes and OpenXT: https://www.qubes-os.org/ http://openxt.org/ Qubes targets laptops. I've tried it on mine, which is quite old, and the drop in perf, e.g., wrt a regular (as in, one that does not use virtualization at all) Linux desktop, although present, I don't think it comes too much from the driver domain(s). I haven't run any benchmarks with it, but despite (as I said) the laptop being quite old, the system is definitely usable. I know less of OpenXT. The picture int the front page mentions multi- tenancy (although, it also mention 'clients'). Regards, Dario --=20 <> (Raistlin Majere) ----------------------------------------------------------------- Dario Faggioli, Ph.D, http://about.me/dario.faggioli Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK) --=-bizJKaTnuiatB0GxyL9i Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCAAGBQJZOYRQAAoJEBZCeImluHPu20AP/j8QJKPD50UK4v5rcTrSlKnH 5z0+M0zdcylRJTlYJsY2KsNBy1JbeGUxoQf0UgR7nSD9BE4L2K7v1/z5nj6oe6Nv uRXhLTgDrvgyheyzWHoErFDl5aYQPj3eCFDeQQxMRww18DTMe8VSqTwawplf4n7/ 1PTqpdUWgHncO4QpucqCESPKwSefYFh2yo1K1K3ixxanxm+1ax0r0cH/CqxAk30b B13AxUK7DRLWXHiaj18jIC/65U0vaYjoqXHkQ1IKeXGzanJ5CN2K822zVkSY+ZMP eVlyunuPAgioWx713F0yZEmPvTzK+rRb78VffyGIX8/Aeuk5pwd+hCDvE8tfbQ9A F38ccPImOfaZvuHrEGXts3lCt8UrxOpcTZpTjTsvCg88KfSGBl2+xuyO7OrObyuD KLV4Qz3753df9JUL39hjXGcTvFRE6agbd0HVYRcW2vA0CybZSCGwIO4HtKSOJeqq zZeQaUqWdmjznACOuAi+UIRAITJoyTB4r01u1LO05gxyTJFuwhYMS1nhFuFdCLAg Tyz2ecWYuSIJ3pvF7hjml+z3tz2ks9dndrcNg0Fe7zcNH0bw773wCYJkoWrySE+b 5IKmmKLgzvGHNY8KdjUvolGyhGA1nDlWHG2z9hw3G0gQ7yzePygiW6RAgUyOINoA 4kCnpwP9alvk3o0YKrDQ =NfcM -----END PGP SIGNATURE----- --=-bizJKaTnuiatB0GxyL9i-- --===============7761520034924932613== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWRldmVs IG1haWxpbmcgbGlzdApYZW4tZGV2ZWxAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3RzLnhlbi5v cmcveGVuLWRldmVsCg== --===============7761520034924932613==--