[libvirt] Libvirt and IPSec (was: What about Trusted Virtual Domains???)

Paolo Smiraglia paolo.smiraglia at polito.it
Mon May 2 14:59:41 UTC 2011 

> Also I'm still curious about my questions in my earlier response to you:
> 
>    https://www.redhat.com/archives/libvir-list/2011-April/msg00589.html
> 
> in particular:
> 
> 1) does the network on each host always have a <forward ...> element for 
> forwarding local traffic directly out to the public network? or 
> alternately, is it possible to force a network on one host to send all 
> traffic over the L2-over-L3 tunnel to a network on another machine, and 
> from there out to the public network? It seems that, in this case, there 
> would be no default route for the systems on the former network (in the 
> case of no forwarding on a libvirt network, no default route is sent in 
> the dhcp response - maybe that needs to be configurable...)

"My virtual network" have to be considered as an "inseparable logical
entity" which is distributed on several hosts. This means that each
virtual network portion defined on each host has a <forward ...>
element. AFAIK, if the network definition is different between two hosts
the domain migration fails...

> 2) Is there an exact 1:1 correspondence between network and tunnel (or 
> perhaps there may be multiple tunnels for a network, but those tunnels 
> are not used by any other network on the same host)? If so, perhaps your 
> project could be simplified by just putting the tunnel config as a 
> subelement of <network>, rather than referencing it - this way you would 
> avoid the need for the extra APIs to define/undefine/etc sectunnel.

In "my framework", each host is connected with another one only by using
one tunnel in where the different traffic flows are isolated by using
mechanisms like VLAN or SELinux labeling.

> 3) Are your tunnels always L2, or do you have provision for setting up 
> L3 tunnels? (Perhaps that could be done by allowing multiple <forward> 
> elements, and having a <forward> that specified a tunnel rather than a 
> physical interface, as well as a list of routes as subelements? This, 
> along with a sectunnel subelement should be enough info to setup a 
> secure L3 tunnel which would be used for the specified routes, right?

"My tunnels" are always L2-on-L3 because I want to create an
L2-adjacency between guests that are running on different hosts which
are connected by L3 network.

> (BTW, after thinking about it some more, I think I agree that <network> 
> is the right place to implement this, rather than a virInterface (host) 
> based <interface> (although that would also be useful, totally separate 
> from libvirt)).
> 
> It seems we can gain a lot from each other! I'm hoping to have my 
> expansion of the network config completed by the end of June at latest, 
> but your work may enable/force me to hurry it a bit more than that :-)

Excellent! :-) :-)


-- 
PAOLO SMIRAGLIA
Department of Control and Computer Engineering
Polytechnic University of Turin
Email: paolo.smiraglia at polito.it



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6095 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20110502/dee8911c/attachment-0001.p7s>

More information about the libvir-list mailing list