Securing Network Virtualization in Xen

A Xen Hypervisor may be used as a Secure Virtual Network Switching Element. A naive hypervisor implementation might act as a link-layer hub, forwarding all inbound traffic to all virtual machines and multiplex outbound traffic to the network. Although this is closer to a pure virtualization of the physical resources, it presents a security concern in that each node can see each other node's traffic and raises the question as to whether or not the virtual Ethernet device should allow a promiscuous mode. Performance-wise this might not be desirable in that incoming packets must be either copied to each VM's receive queue, incurring an overhead, or alternatively the hypervisor must provide the ability to deliver a common piece of memory as either read-only or copy-onwrite to a set of VMs.

The Xen's XenoServer project suggests using Dom0 as a routing element. Packet scheduling in Xen is at the granularity of virtual interfaces. A soft real-time scheduler moves transmit packets from virtual interface send queues through Xen's routing tables. Received packets are delivered on arrival and appropriate RX scheduling is deferred on to the CPU scheduler as VMs are responsible for emptying their own inbound message buffers. VMs which do not empty their receive queues at the inbound packet rate will have extraneous packets dropped. IDS rules can be installed at a traffic classifer in Dom0 to filter both incoming and outgoing malicious traffic.