Re: [libvirt] Libvirt and IPSec (was: What about Trusted Virtual Domains???)
On 04/29/2011 12:13 PM, Paolo Smiraglia wrote:
Hi to everyone!
Sorry for the latency of the response but me and my team we are noticed
that the TVD argument can not be treated only with a few lines in some
mails. In order to avoid any possible misunderstanding, we decided to
produce a little report (just four pages with images) that describes our
project. Technical details are not treated in the report. You can
download the report by using the link
http://dl.dropbox.com/u/824617/tvd_in_libvirt.pdf
Our idea is to start the discussion about Libvirt TVD implementation
using as starting point the report.
As already mentioned in previous mail, we think that the first step for
the implementation of the TVD is to make possible the 'tunnel' modeling
in Libvirt.
Considering the report, what do you think about our tunnel modeling
idea? It's right or some changes are needed?
Paolo,
Did you see my recent email titled "RFC: disconnecting guest/domain
interface config from host config":
https://www.redhat.com/archives/libvir-list/2011-April/msg00591.html
We both want to expand the usage of <network>, so we'd do well to avoid
stepping on each others' toes! :-)
I'm wondering how the <sectunnel> element would fit in with network
types that were not "bridge". I'm also curious about your work with
openvswitch, because one of the potentials I can see as a result of
expanding the usage of <network> is that openvswitch could be supported
directly by libvirt by defining a new <network type='openvswitch'> (I
mention that in one of the followup messages.
Also I'm still curious about my questions in my earlier response to you:
https://www.redhat.com/archives/libvir-list/2011-April/msg00589.html
in particular:
1) does the network on each host always have a <forward ...> element for
forwarding local traffic directly out to the public network? or
alternately, is it possible to force a network on one host to send all
traffic over the L2-over-L3 tunnel to a network on another machine, and
from there out to the public network? It seems that, in this case, there
would be no default route for the systems on the former network (in the
case of no forwarding on a libvirt network, no default route is sent in
the dhcp response - maybe that needs to be configurable...)
2) Is there an exact 1:1 correspondence between network and tunnel (or
perhaps there may be multiple tunnels for a network, but those tunnels
are not used by any other network on the same host)? If so, perhaps your
project could be simplified by just putting the tunnel config as a
subelement of <network>, rather than referencing it - this way you would
avoid the need for the extra APIs to define/undefine/etc sectunnel.
3) Are your tunnels always L2, or do you have provision for setting up
L3 tunnels? (Perhaps that could be done by allowing multiple <forward>
elements, and having a <forward> that specified a tunnel rather than a
physical interface, as well as a list of routes as subelements? This,
along with a sectunnel subelement should be enough info to setup a
secure L3 tunnel which would be used for the specified routes, right?
(BTW, after thinking about it some more, I think I agree that <network>
is the right place to implement this, rather than a virInterface (host)
based <interface> (although that would also be useful, totally separate
from libvirt)).
It seems we can gain a lot from each other! I'm hoping to have my
expansion of the network config completed by the end of June at latest,
but your work may enable/force me to hurry it a bit more than that :-)