[libvirt] Libvirt and IPSec
Michal Novotny
minovotn at redhat.com
Mon May 2 13:27:29 UTC 2011
On 05/02/2011 03:12 PM, Paolo Smiraglia wrote:
> Hi Michal!
>
> Due to reduce the implementation time and verify quickly if our project
> is feasible, we decided to implement the prototype by using the simplest
> user-space applications (VTun, Open vSwitch).
>
> To increase the security, we would like to move in kernel-space all
> security components. We want to migrate from user to kernel space not by
> defining new kernel modules or by modifying the existing ones, but by
> using already defined applications that perform our security
> requirements in kernel spaces.
>
> For instance, we have defined an application which filters all received
> packets (by analyzing the VLAN tags) before that they are received by
> the switch. We think that the filtering may be executed by using the
> SELinux labels. About tunneling, we want to remove VTun from our
> framework and setup directly the 'gretap' interfaces.
>
> Any other questions are welcomed!
>
> Paolo
>
>
Hi Paolo,
thanks for your quick reply. Maybe I can see the point now. If you would
like to implement it using the already defined application that performs
the security requirements in the kernel-space I guess the application
are in the form of kernel module or directly implemented into the kernel
so you need to check whether the required feature is present/module
loaded to allow the functionality. Is this your aim ?
Michal
--
Michal Novotny <minovotn at redhat.com>, RHCE
Virtualization Team (xen userspace), Red Hat
More information about the libvir-list
mailing list