On Thu, Jan 10, 2013 at 02:00:57PM +0200, Dan Kenigsberg wrote:
vdsm-vdsm and libvirt-libvirt communication is authenticated, but I
am
not sure at all that qemu-qemu communication is.
After qemu is sprung up on the destination with
-incoming <some ip>:<some port> , anything with access to that
address could hijack the process. Our migrateURI starts with "tcp://"
with all the consequences of this. That a good reason to make sure
<some ip> has as limited access as possible.
The QEMU<->QEMU communication channel is neither authenticated or
encrypted, so if you are allowing migration directly over QEMU TCP
channels you have a requirement for a trusted, secure mgmt network
for this traffic.
If your network is not trusted, then currently the only alternative
is to make use of libvirt tunnelled migration.
I would like to see QEMU gain support for using TLS on its migration
sockets, so that you can have a secure QEMU<->QEMU path without needing
to tunnel via libvirtd.
Daniel
--
|:
http://berrange.com -o-
http://www.flickr.com/photos/dberrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org :|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|:
http://entangle-photo.org -o-
http://live.gnome.org/gtk-vnc :|