lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20161123145535.GA16465@stefanha-x1.localdomain>
Date:   Wed, 23 Nov 2016 14:55:35 +0000
From:   Stefan Hajnoczi <stefanha@...hat.com>
To:     Jorgen Hansen <jhansen@...are.com>
Cc:     netdev@...r.kernel.org, imbrenda@...ux.vnet.ibm.com
Subject: AF_VSOCK network namespace support

Hi Jorgen,
There are two use cases where network namespace support in AF_VSOCK
could be useful:

1. Claudio Imbrenda pointed out that a machine cannot act as both host
   and guest at the same time.  This is necessary for nested
   virtualization.  Currently only one transport (the host side or the
   guest side) can be registered at a time.

2. Users may wish to isolate the AF_VSOCK address namespace so that two
   VMs have completely independent CID and ports (they could even use
   the same CID and ports because they're in separate namespaces).  This
   ensures that a host service visible to VM1 is not automatically
   visible to VM2.

Network namespaces could solve both problems.

A drawback of namespaces is that existing configurations using network
namespaces for IPv4/6 or other purposes break if AF_VSOCK gains network
namespace support.  This is not a big problem for virtio-vsock if we
implement namespace support soon since there are no existing users.

I wonder how other address families have solved this transition to
network namespaces.  It's almost like we need fine-grained namespaces
instead of a blanket network namespace that applies across all address
families...

I'm playing around with the code now but wanted to get your thoughts in
case you've already considered these problems.

Stefan

Download attachment "signature.asc" of type "application/pgp-signature" (456 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ