From: George Dunlap <george.dunlap@eu.citrix.com>
To: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: Dario Faggioli <dario.faggioli@citrix.com>,
Zhigang Wang <zhigang.x.wang@oracle.com>,
publicity@lists.xenproject.org,
xen-devel <xen-devel@lists.xen.org>
Subject: Re: Suggestion for merging xl save/restore/migrate/migrate-receive
Date: Tue, 17 Sep 2013 11:07:10 +0100 [thread overview]
Message-ID: <523829CE.6020509@eu.citrix.com> (raw)
In-Reply-To: <21048.8272.465544.579024@mariner.uk.xensource.com>
On 09/17/2013 10:26 AM, Ian Jackson wrote:
> George Dunlap writes ("Re: [Xen-devel] Suggestion for merging xl save/restore/migrate/migrate-receive"):
>> On 09/16/2013 06:41 PM, Zhigang Wang wrote:
>>> ... Also after this, all Servers in a pool can login to each
>>> other. I don't know whether it's a security issue for our product.
>>>
>>> This is something we try to avoid at this time.
>>
>> ...so instead of allowing anyone on one of the hosts log in, you're
>> going to allow anyone with access to the network to create a VM without
>> any kind of authentication?
>>
>> From a security perspective, that doesn't really sound like an
>> improvement...
>
> Note that if host B allows incoming migrations from host A, then host
> B is trusting host A completely. This is because the migration data
> contains not just the guest's state (which is of course encapsulated
> inside the Xen VM security boundary), but also the VM configuration.
> The VM configuration specifies the mapping between guest resources and
> host resources.
>
> So host B trusts host A to specify the correct set of host B's own
> resources to expose to the guest VM. If host A is malicious it can
> send a VM whose configuration specifies (for example) that the whole
> of host B's disk is to be exposed to the guest, along with a guest
> which will make whatever malicious changes host A desires.
>
> In summary: accepting incoming migration images is just as dangerous
> as allowing root login (from the same source host). So switching the
> transport from ssh to unauthenticated ssl makes the security against
> malicious migration source hosts strictly worse.
>
> The only way unauthenticated ssl is better than simply unauthenticated
> unencrypted TCP is protection against passive eavesdropping. This is
> important for much general traffic on the public Internet (see recent
> revelations about widespread eavesdropping), but probably not relevant
> for the control plane of a VM hosting setup. If your control plane
> network has bad people on it, you need authentication as well as
> encryption.
>
>
> So I don't think we should be adding new code to xl which might
> encourage the use of ssl. The proposed format-string based template
> would be OK, but I think really that we should have better (more
> convenient) support for unencrypted migration.
>
> Things that would be helpful:
And once we get all this sorted out, a blog post and/or wiki page with
the issues, the options as they exist in the most recent release, and
the options as they will exist in the next release, would be helpful.
-George
next prev parent reply other threads:[~2013-09-17 10:07 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-13 16:04 Suggestion for merging xl save/restore/migrate/migrate-receive Zhigang Wang
2013-09-16 10:04 ` George Dunlap
2013-09-16 15:51 ` Zhigang Wang
2013-09-16 16:05 ` George Dunlap
2013-09-16 16:07 ` George Dunlap
2013-09-16 16:20 ` Ian Jackson
2013-09-16 16:40 ` George Dunlap
2013-09-16 17:06 ` Ian Jackson
2013-09-16 17:21 ` Zhigang Wang
2013-09-16 17:41 ` Zhigang Wang
2013-09-16 20:42 ` Ian Campbell
2013-09-16 20:51 ` Zhigang Wang
2013-09-17 8:25 ` George Dunlap
2013-09-17 9:26 ` Ian Jackson
2013-09-17 10:07 ` George Dunlap [this message]
2013-09-17 13:44 ` Zhigang Wang
2013-09-24 16:46 ` Konrad Rzeszutek Wilk
2013-09-25 10:06 ` George Dunlap
2013-10-03 2:19 ` Matt Wilson
2013-10-03 13:34 ` Zhigang Wang
2013-09-17 10:28 ` George Dunlap
2013-09-17 10:45 ` Processed: " xen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=523829CE.6020509@eu.citrix.com \
--to=george.dunlap@eu.citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=dario.faggioli@citrix.com \
--cc=publicity@lists.xenproject.org \
--cc=xen-devel@lists.xen.org \
--cc=zhigang.x.wang@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).