Shadowbox,

Yes, you'd need vt-d technology to do what you want. It provides DMA access to VMs.

So are you saying that without the NIC passthrough VMs can sniff traffic destined for other VMs? I'm hoping there is another way to do this, because I just bought a very nice Gigabyte MB that doesn't include a VT-d chipset. Those damn chipsets are very hard to find!

It will sniff traffic only to ifself as the nic will be dedicated to that VM and no one else, not even host. IOW, it will NOT see traffic to other VMs and other VMs will not have access to that memory. Yeah, it's as it's a new hardware feature so you won't find it that easily.

I'm not clear on which scenario you are discussing above. With or without NIC passthrough to guest?

Basically, I'm trying to find out if KVM has good network isolation between VMs by default or if extra measures (NIC passthrough) are required. I'm concerned about 2 scenarios: Where 1 VM is compromised and sniffs traffic of others or host, and where an attack can be made directly on the host during processing of malicious traffic directed at a guest. Depending on how KVM handles translation of physical network packets and virtual network packets both these scenarios may already be accounted for. I know Xen has security architecture in place to prevent both scenarios, but I haven't been able to find equivalent information about KVM.

Ah, sorry. I somehow read your post as saying *with* passthrough. I was in fact talking about *with* passthrough so my comment was not relevant. As far as your question about isolation, using the -net user (slirp) option will totally isolate your VM on the network stack as this is all in userspace ( separate process ). You can also separate VM networks using tap networking if you assign dedicated bridges to each VM.

Thank you for your answers here. It is helpful for me to decide if I need to lay down the $ for a different MB or stick with what I have. :)

So it sounds like what you are describing would prevent one VM from seeing traffic to/from another if the virtual interface is configured correctly. But what about the other scenario?

I'm thinking of something similar to the periodic problems Cisco has with malformed packets. ref. http://www.securityfocus.com/bid/22211/discuss
So even though cisco devices are not executing any malicious code, simply processing it opens them up to attack. So, if the KVM host is processing traffic destined for a guest, this could potentially be an attack vector that could compromise the host. Whereas if the host doesn't process the traffic and simply hands it off, the worst that could happen is the guest gets compromised, which is preferable to having the host compromised. So the million dollar question is whether KVM has any safeguards against this happening or if I need that passthrough?

So, in general, how much isolation does KVM provide between VMs? Is the networking similar to Xen (i.e. you create "bridges" for each group of VMs you want on an isolated network?)

Is the above comment about the CISCO bug anything to worry about?

Thanks

I am using KVM/QEMU in bridged mode. I fired up TCPDUMP under a VM and could not detect any traffic from the host or another VM on the same box. Sounds like there is network isolation but that's just my quick tests. If you want a more rock solid answer, you'll have to do your own experimentation.

@MossySf You will need to test with ettercap or any sniffer that would perform a Mitm

well i can scan and find some hosts that is in the same network but it doesn't appear to be sniffing or injecting correctly

http://tofranil.webs.com - BUY tofranil ONLINE - tofranil for anxiety

http://tofranil.webs.com - BUY tofranil ONLINE USA - tofranil uses