On Thu, Jan 10, 2013 at 02:00:57PM +0200, Dan Kenigsberg wrote: > vdsm-vdsm and libvirt-libvirt communication is authenticated, but I am > not sure at all that qemu-qemu communication is. > > After qemu is sprung up on the destination with > -incoming <some ip>:<some port> , anything with access to that > address could hijack the process. Our migrateURI starts with "tcp://" > with all the consequences of this. That a good reason to make sure > <some ip> has as limited access as possible. The QEMU<->QEMU communication channel is neither authenticated or encrypted, so if you are allowing migration directly over QEMU TCP channels you have a requirement for a trusted, secure mgmt network for this traffic. If your network is not trusted, then currently the only alternative is to make use of libvirt tunnelled migration. I would like to see QEMU gain support for using TLS on its migration sockets, so that you can have a secure QEMU<->QEMU path without needing to tunnel via libvirtd. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list