From: Tim Deegan <tim@xen.org>
To: Jean Guyader <jean.guyader@citrix.com>
Cc: Ian Campbell <Ian.Campbell@citrix.com>,
"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>
Subject: Re: [RFC][PATCH 0/5] Add V4V to Xen
Date: Wed, 13 Jun 2012 12:44:27 +0100 [thread overview]
Message-ID: <20120613114427.GA21809@ocelot.phlegethon.org> (raw)
In-Reply-To: <20120613104858.GC23207@boiler.cam.xci-test.com>
At 11:48 +0100 on 13 Jun (1339588138), Jean Guyader wrote:
> On 07/06 04:36, Tim Deegan wrote:
> > Using one ring for all clients raises the question of access control and
> > admission control -- in particular how do you avoid DoS from
> > badly-behaved clients?
> >
> > And, given your concerns about sharing an OS with an uncooperative
> > Xenstore client, how do you handle sharing the OS with a badly behaved
> > v4v client?
> >
> > If we _do_ need one ring with multiple writers, and therefore Xen needs
> > to arbitrate writes, there's still room for the policy-based parts
> > (controlling connection setup, for example) to live outside the
> > hypervisor, openvswitch-style.
>
> Today the acl check in V4V (not part of the current patch serie) is
> done for every copy by Xen.
OK; can you describe roughly how it works? Is it a whitelist of good
domains, or a blacklist of bad? Does it just do access control or is
there rate limiting? Can it detect and block badly-behaved clients,
or is that something you do in the server?
Have you given any thought to my second question -- if you can't rely on
the existing xenstore code, are there problems with sharing a VM with
other v4v drivers? My intuition is that at least it would not be so
bad, since non-malicious drivers ought to be able to coexist, but I'd
like to know your opinion.
> Moving the policy control outside of Xen
> would mean that you still need to have a copy of the acls in Xen and
> the worst thing that can happen is for the copy to get out of sync.
What I meant by openvswitch-style is to have a single low-level ACL in
the hypervisor (maybe as a whitelist of known good connections) and
fault all unusual behaviour (new domain appears, &c) to the more complex
policy engine in user-space.
Really it depends on what kind of policy you want to be able to express.
If a simple yes/no whitelist is good enough (and always will be) then it
may as well live in the hypervisor and we can skip the 'defer to
userspace' part.
> What do you think would be the next step going forward?
Hopefully, to get some feedback from other people (specifically Ian, Ian
and Stefano but anyone else too!) and decide what, if anything, ought to
be changed about the design.
My feedback has mostly been about the hypervisor side of things -- I'm
sure the tools maintainers have some ideas about how this should be
merged with libvchan, to avoid having two separate comms interfaces.
Cheers,
Tim.
next prev parent reply other threads:[~2012-06-13 11:44 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-31 15:07 [RFC][PATCH 0/5] Add V4V to Xen Jean Guyader
2012-05-31 15:07 ` [PATCH 1/5] xen: add ssize_t to types.h Jean Guyader
2012-05-31 15:29 ` Jan Beulich
2012-05-31 15:07 ` [PATCH 2/5] xen: Add headers to include/Makefile Jean Guyader
2012-05-31 15:37 ` Jan Beulich
2012-05-31 15:07 ` [PATCH 3/5] v4v: Introduce VIRQ_V4V Jean Guyader
2012-05-31 15:44 ` Jan Beulich
2012-05-31 15:07 ` [PATCH 4/5] xen: Enforce casting for guest_handle_cast Jean Guyader
2012-05-31 15:47 ` Jan Beulich
2012-06-14 14:08 ` Jean Guyader
2012-06-14 14:23 ` Jan Beulich
2012-06-14 14:26 ` Tim Deegan
2012-06-14 14:27 ` Tim Deegan
2012-06-14 14:40 ` Jean Guyader
2012-06-14 15:39 ` Jean Guyader
2012-06-14 15:50 ` Tim Deegan
2012-06-14 16:00 ` Jan Beulich
2012-06-14 21:19 ` Jean Guyader
2012-06-18 11:36 ` Jan Beulich
2012-06-18 12:50 ` Jean Guyader
2012-05-31 15:07 ` [PATCH 5/5] xen: Add V4V implementation Jean Guyader
2012-05-31 15:59 ` Jan Beulich
2012-06-01 12:41 ` [RFC][PATCH 0/5] Add V4V to Xen Jan Beulich
2012-06-01 13:24 ` George Dunlap
2012-06-14 14:01 ` Jean Guyader
2012-06-01 13:47 ` Ian Campbell
2012-06-07 8:47 ` Jean Guyader
2012-06-07 9:42 ` Jean Guyader
2012-06-07 11:40 ` Tim Deegan
2012-06-07 15:36 ` Tim Deegan
2012-06-13 10:48 ` Jean Guyader
2012-06-13 11:44 ` Tim Deegan [this message]
2012-06-14 10:55 ` Jean Guyader
2012-06-14 14:56 ` Tim Deegan
2012-06-14 15:10 ` Jean Guyader
2012-06-14 15:35 ` Tim Deegan
2012-06-14 21:14 ` Jean Guyader
2012-06-25 9:05 ` Tim Deegan
2012-06-26 14:38 ` Ian Campbell
2012-06-28 10:38 ` Jean Guyader
2012-06-28 10:50 ` Tim Deegan
2012-06-28 11:24 ` Jean Guyader
2012-06-28 11:34 ` Ian Campbell
2012-06-28 11:43 ` Jean Guyader
2012-06-28 11:58 ` Ian Campbell
2012-06-28 12:10 ` Jean Guyader
2012-06-28 12:36 ` Ian Campbell
2012-06-28 13:43 ` Jean Guyader
2012-06-28 13:47 ` Ian Campbell
2012-06-28 16:35 ` Jean Guyader
2012-07-02 14:14 ` Ian Campbell
2012-06-28 10:19 ` Jean Guyader
-- strict thread matches above, loose matches on Subject: below --
2012-05-31 14:52 Jean Guyader
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120613114427.GA21809@ocelot.phlegethon.org \
--to=tim@xen.org \
--cc=Ian.Campbell@citrix.com \
--cc=jean.guyader@citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).