derchris
26-06-2009, 08:51
Does that mean we can use native bridge mode on VMs after the change.
Or are we still restricted to NAT/HostOnly networking ?
Or are we still restricted to NAT/HostOnly networking ?
Security policy, some works in progress
fozl
25-06-2009, 12:27
Translation improved abit.
DedicatedPros
24-06-2009, 19:56
These translations are crap I thought OVH staff are fluent in both English and French, they could translate this to actually make sense in English.
Ashley
24-06-2009, 18:59
Originally Posted by oles@ovh.net
Myatu
24-06-2009, 18:51
Originally Posted by oles@ovh.net
Anyway, would it be a solution to have OVH generate the MAC address and map it to the server? This way you'll still avoid MAC spoofing, but also have the option for additional MAC addresses for virtual interfaces. It'll make the setup of certain virtualised environments easier as well (Virtuozo, OpenVZ, Xen, VMWare).
Originally Posted by oles@ovh.net
wackomoo
24-06-2009, 18:27
Changing 400 switches - How will this affect Kimsufi and Pro servers, it at all? (Should I expect downtimes/disconnects from the internet?)
oles@ovh.net
24-06-2009, 16:56
Hello,
We are approaching 60,000 servers, including the fact that you are more likely to create virtualizations on servers with OVH. This is partly due to our ready to use distributions, IP fail-over, IP loadbalancing and all additional services (vKVM, KVM, the firewall), but mainly because there is demand in this market (it's good to save money). Technically speaking, we had to adapt our technical infrastructure to offer you virtualisation but today we are no longer satisfied with what we offer. We can do better and we will do better. Because ... because it's worth it!
Examples of what we're still doing badly and how we will do it better:
- A virtual machine that runs on a server, is hacked and launches an attack, spoofs the network, etc. Currently, we detect that the problem comes from the physical server and we block the entire server instead of just the virtual machine.
- The network is protected against the servers that play with MAC addresses on our network. As soon as we detect it, the server port blocks itself (Cisco network, I do nothing). The network has isolated the problem by cutting off the server and therefore continues to operate without any problem. However, this is not the best for the server. Also, with the virtualization we can "route" packets or just play with MAC addresses. We wish to offer both.
We are then going to change some safety rules on the network to enable these new uses while maintaining a security level in "paranoid" mode (because those who are not paranoid on the Net have a very limited life expectancy). Also, we will have to change 30% of our rack switches (more than 400 pieces ... ouch! Suddenly not so funny, anyway we don't make sushi without rice or steak without meat or omelette without breaking eggs!) To allow our virtualization customers to be happier at Ovh without messing up other customers (who are also happy at Ovh but perhaps not as much as those of Virtualization will soon be).
To summarize technically the developments, communication between the server and "the rest" (the other servers, routers, Internet) will be shielded and secure in a sort of tunnel to allow these machines to announce in a kind of "noise" tunnel, without this noise becoming a detriment to other servers and routers and the Internet.
What am I saying? Very technically speaking ... I will invite you to look at the working task in which we will explain what we do. Technically speaking it is a headache, and we need 4 pages to explain it.
http://travaux.ovh.com/?do=details&id=3187
Of course, nothing changes for 99.99% of our customers. What may change is for the 2-4 for customers who may have done border line stuff. That's all.
All other customers will love it because we will allow more services on our armoured network.
That's it :-)
Regards,
Octave
We are approaching 60,000 servers, including the fact that you are more likely to create virtualizations on servers with OVH. This is partly due to our ready to use distributions, IP fail-over, IP loadbalancing and all additional services (vKVM, KVM, the firewall), but mainly because there is demand in this market (it's good to save money). Technically speaking, we had to adapt our technical infrastructure to offer you virtualisation but today we are no longer satisfied with what we offer. We can do better and we will do better. Because ... because it's worth it!
Examples of what we're still doing badly and how we will do it better:
- A virtual machine that runs on a server, is hacked and launches an attack, spoofs the network, etc. Currently, we detect that the problem comes from the physical server and we block the entire server instead of just the virtual machine.
- The network is protected against the servers that play with MAC addresses on our network. As soon as we detect it, the server port blocks itself (Cisco network, I do nothing). The network has isolated the problem by cutting off the server and therefore continues to operate without any problem. However, this is not the best for the server. Also, with the virtualization we can "route" packets or just play with MAC addresses. We wish to offer both.
We are then going to change some safety rules on the network to enable these new uses while maintaining a security level in "paranoid" mode (because those who are not paranoid on the Net have a very limited life expectancy). Also, we will have to change 30% of our rack switches (more than 400 pieces ... ouch! Suddenly not so funny, anyway we don't make sushi without rice or steak without meat or omelette without breaking eggs!) To allow our virtualization customers to be happier at Ovh without messing up other customers (who are also happy at Ovh but perhaps not as much as those of Virtualization will soon be).
To summarize technically the developments, communication between the server and "the rest" (the other servers, routers, Internet) will be shielded and secure in a sort of tunnel to allow these machines to announce in a kind of "noise" tunnel, without this noise becoming a detriment to other servers and routers and the Internet.
What am I saying? Very technically speaking ... I will invite you to look at the working task in which we will explain what we do. Technically speaking it is a headache, and we need 4 pages to explain it.
http://travaux.ovh.com/?do=details&id=3187
Of course, nothing changes for 99.99% of our customers. What may change is for the 2-4 for customers who may have done border line stuff. That's all.
All other customers will love it because we will allow more services on our armoured network.
That's it :-)
Regards,
Octave