[libvirt] Libvirt and IPSec

Paolo Smiraglia paolo.smiraglia at polito.it
Mon May 2 13:12:41 UTC 2011 

> Hi Paolo,
> thanks for the document. I read it briefly and the design itself seems
> good however in the document you mentioned moving the logic from
> user-space to kernel-space which I'm not sure how would you like to
> achieve this since libvirt itself is in the user-space stack and not
> kernel-space. For having some implementation of those things directly in
> the kernel-space you would require to modify the kernel on the host
> itself which would be very similar to Xen that requires modified kernel
> - Xen kernel. This introduces some issues there since if you're not able
> to make it be merged into the upstream kernel tree then you'll be having
> the same issues like Xen does. If you implement this as a kernel-module
> and also if you make the module upstream accepted then you'll be most
> likely fine however you need to upstream acceptance of the module or
> provide the source codes for the module somewhere to be recompiled for
> the kernel the user is having.
> 
> What exactly would you like to move to the kernel-space ?
> 
> Thanks,
> Michal
> 

Hi Michal!

Due to reduce the implementation time and verify quickly if our project
is feasible, we decided to implement the prototype by using the simplest
user-space applications (VTun, Open vSwitch).

To increase the security, we would like to move in kernel-space all
security components. We want to migrate from user to kernel space not by
defining new kernel modules or by modifying the existing ones, but by
using already defined applications that perform our security
requirements in kernel spaces.

For instance, we have defined an application which filters all received
packets (by analyzing the VLAN tags) before that they are received by
the switch. We think that the filtering may be executed by using the
SELinux labels. About tunneling, we want to remove VTun from our
framework and setup directly the 'gretap' interfaces.

Any other questions are welcomed!

Paolo


-- 
PAOLO SMIRAGLIA
Department of Control and Computer Engineering
Polytechnic University of Turin
Email: paolo.smiraglia at polito.it

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6095 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20110502/1b2992a3/attachment-0001.p7s>

More information about the libvir-list mailing list