tunnelled migration

Andrew Cathrow acathrow at redhat.com
Fri Jan 11 12:28:27 UTC 2013



----- Original Message -----
> From: "Mark Wu" <wudxw at linux.vnet.ibm.com>
> To: "Caitlin Bestler" <Caitlin.Bestler at nexenta.com>
> Cc: "Michal Skrivanek" <mskrivan at redhat.com>, arch at ovirt.org
> Sent: Friday, January 11, 2013 1:05:10 AM
> Subject: Re: tunnelled migration
> 
> On 01/11/2013 04:14 AM, Caitlin Bestler wrote:
> > Dan Kenisberg wrote:
> >
> >
> >> Choosing tunnelled migration is thus a matter of policy. I would
> >> like to suggest a new cluster-level configurable in Engine,
> >> that controls whether migrations in this cluster are tunnelled.
> >> The configurable must be available only in new cluster levels
> >> where hosts support it.
> > Why not just dump this issue to network configuration?
> >
> > Migrations occur over a secure network. That security could be
> > provided by port groups, VLANs or encrypted tunnels.
> Agreed. Is a separate vlan network not secure enough?  If yes, we
> could
> build a virtual encrypted network, like using openvpn + iptables.

While I agree that a vlan should be enough, and that's their purpose we've learned from downstream customers that this isn't enough and their security teams require all traffic to be encrypted.

> >
> > _______________________________________________
> > Arch mailing list
> > Arch at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/arch
> >
> 
> _______________________________________________
> Arch mailing list
> Arch at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/arch
> 



More information about the Arch mailing list