[libvirt] Libvirt and IPSec (was: What about Trusted Virtual Domains???)

Paolo Smiraglia paolo.smiraglia at polito.it
Mon May 2 14:59:35 UTC 2011


> Paolo,
> 
> Did you see my recent email titled "RFC: disconnecting guest/domain 
> interface config from host config":
> 
>    https://www.redhat.com/archives/libvir-list/2011-April/msg00591.html
> 
> We both want to expand the usage of <network>, so we'd do well to avoid 
> stepping on each others' toes! :-)

Referring to the options listed in the link posted above, I agree about
the Options 3. Moreover,  according to the posted XML network examples,
I imagine a network definition like:

   <network type='tunneled'>
      <name>red-network</name>
      <tunnel type='ipsec'>
         <!-- here all elements to define an ipsec tunnel -->
      </tunnel>
   </network>

or

   <network type='tunneled'>
      <name>red-network</name>
      <tunnel name='ipsectun0' />
   </network>

but the second example requires the definition (XML, API, ect) of
element <tunnel ...>

> I'm wondering how the <sectunnel> element would fit in with network 
> types that were not "bridge". [...] 

Sorry, but I don't understand what do you want to say... ;-)

> [...] I'm also curious about your work with 
> openvswitch, because one of the potentials I can see as a result of 
> expanding the usage of <network> is that openvswitch could be supported 
> directly by libvirt by defining a new <network type='openvswitch'> (I 
> mention that in one of the followup messages.

I used Open vSwitch to isolate the traffic (by using VLAN tagging) into
the tunnel. Moreover, I'm valuating to define a Libvirt hook that will
allow the dynamic configuration of Open vSwitch.

See you,

   Paolo

-- 
PAOLO SMIRAGLIA
Department of Control and Computer Engineering
Polytechnic University of Turin
Email: paolo.smiraglia at polito.it


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6095 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20110502/ffc941c0/attachment-0001.p7s>


More information about the libvir-list mailing list