Re: [libvirt] Libvirt and IPSec
On 05/02/2011 03:12 PM, Paolo Smiraglia wrote:
Hi Michal!
Due to reduce the implementation time and verify quickly if our project
is feasible, we decided to implement the prototype by using the simplest
user-space applications (VTun, Open vSwitch).
To increase the security, we would like to move in kernel-space all
security components. We want to migrate from user to kernel space not by
defining new kernel modules or by modifying the existing ones, but by
using already defined applications that perform our security
requirements in kernel spaces.
For instance, we have defined an application which filters all received
packets (by analyzing the VLAN tags) before that they are received by
the switch. We think that the filtering may be executed by using the
SELinux labels. About tunneling, we want to remove VTun from our
framework and setup directly the 'gretap' interfaces.
Any other questions are welcomed!
Paolo
Hi Paolo,
thanks for your quick reply. Maybe I can see the point now. If you would
like to implement it using the already defined application that performs
the security requirements in the kernel-space I guess the application
are in the form of kernel module or directly implemented into the kernel
so you need to check whether the required feature is present/module
loaded to allow the functionality. Is this your aim ?
Michal
--
Michal Novotny <minovotn(a)redhat.com>, RHCE
Virtualization Team (xen userspace), Red Hat