[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] Libvirt and IPSec



> Hi Paolo,
> thanks for the document. I read it briefly and the design itself seems
> good however in the document you mentioned moving the logic from
> user-space to kernel-space which I'm not sure how would you like to
> achieve this since libvirt itself is in the user-space stack and not
> kernel-space. For having some implementation of those things directly in
> the kernel-space you would require to modify the kernel on the host
> itself which would be very similar to Xen that requires modified kernel
> - Xen kernel. This introduces some issues there since if you're not able
> to make it be merged into the upstream kernel tree then you'll be having
> the same issues like Xen does. If you implement this as a kernel-module
> and also if you make the module upstream accepted then you'll be most
> likely fine however you need to upstream acceptance of the module or
> provide the source codes for the module somewhere to be recompiled for
> the kernel the user is having.
> 
> What exactly would you like to move to the kernel-space ?
> 
> Thanks,
> Michal
> 

Hi Michal!

Due to reduce the implementation time and verify quickly if our project
is feasible, we decided to implement the prototype by using the simplest
user-space applications (VTun, Open vSwitch).

To increase the security, we would like to move in kernel-space all
security components. We want to migrate from user to kernel space not by
defining new kernel modules or by modifying the existing ones, but by
using already defined applications that perform our security
requirements in kernel spaces.

For instance, we have defined an application which filters all received
packets (by analyzing the VLAN tags) before that they are received by
the switch. We think that the filtering may be executed by using the
SELinux labels. About tunneling, we want to remove VTun from our
framework and setup directly the 'gretap' interfaces.

Any other questions are welcomed!

Paolo


-- 
PAOLO SMIRAGLIA
Department of Control and Computer Engineering
Polytechnic University of Turin
Email: paolo smiraglia polito it

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]