| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Nov 2016 14:55:35 +0000
From: Stefan Hajnoczi <stefanha@...hat.com>
To: Jorgen Hansen <jhansen@...are.com>
Cc: netdev@...r.kernel.org, imbrenda@...ux.vnet.ibm.com
Subject: AF_VSOCK network namespace support
Hi Jorgen,
There are two use cases where network namespace support in AF_VSOCK
could be useful:
1. Claudio Imbrenda pointed out that a machine cannot act as both host
and guest at the same time. This is necessary for nested
virtualization. Currently only one transport (the host side or the
guest side) can be registered at a time.
2. Users may wish to isolate the AF_VSOCK address namespace so that two
VMs have completely independent CID and ports (they could even use
the same CID and ports because they're in separate namespaces). This
ensures that a host service visible to VM1 is not automatically
visible to VM2.
Network namespaces could solve both problems.
A drawback of namespaces is that existing configurations using network
namespaces for IPv4/6 or other purposes break if AF_VSOCK gains network
namespace support. This is not a big problem for virtio-vsock if we
implement namespace support soon since there are no existing users.
I wonder how other address families have solved this transition to
network namespaces. It's almost like we need fine-grained namespaces
instead of a blanket network namespace that applies across all address
families...
I'm playing around with the code now but wanted to get your thoughts in
case you've already considered these problems.
Stefan
Download attachment "signature.asc" of type "application/pgp-signature" (456 bytes)
Powered by blists - more mailing lists