From owner-freebsd-virtualization@freebsd.org  Thu Dec 29 18:09:53 2016
Return-Path: <owner-freebsd-virtualization@freebsd.org>
Delivered-To: freebsd-virtualization@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A2B87C96A49
 for <freebsd-virtualization@mailman.ysv.freebsd.org>;
 Thu, 29 Dec 2016 18:09:53 +0000 (UTC)
 (envelope-from churchers@gmail.com)
Received: from mail-qt0-x235.google.com (mail-qt0-x235.google.com
 [IPv6:2607:f8b0:400d:c0d::235])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 5CA8D179E
 for <freebsd-virtualization@freebsd.org>; Thu, 29 Dec 2016 18:09:53 +0000 (UTC)
 (envelope-from churchers@gmail.com)
Received: by mail-qt0-x235.google.com with SMTP id c47so378362249qtc.2
 for <freebsd-virtualization@freebsd.org>; Thu, 29 Dec 2016 10:09:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=uS7jGX13iz8hQdu59IyC16ka2Ta9yePNE2/VA5n/FSc=;
 b=qBUnrEUG0sNeJEeqUYoIL8Eg8RGpwh/x8nVOLMi55cb0LuzCitTcstNGzzjx5H1f4K
 wDwnhgyvanXUfF59MazmY0VpflLrjnqSFqqM8Drye8bGml6kSPjsyKo7yTa9kSRE8qIh
 mKBINdLBSM33AWDzO2zbv6cxrvxREUejRx6czW0Lt6MiaPyYqp9rdvXebO1eyrHbZFq9
 EWyZVblZEIaagRiuXHoZAfp0mOGWPRr/pzwVnezhjjc+iS+eX8qk6I6h67xqRg/jXUe6
 J22TBZvb/Qh33+K284qBwKT3Xnxg9n4KG3MyUgNy5BmEinPWYQrRbHetvcXYuW/LUaDk
 bhsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=uS7jGX13iz8hQdu59IyC16ka2Ta9yePNE2/VA5n/FSc=;
 b=B1zLKFBgxrI3zwFZOYnsrUfbhcxOG5xVg1ZsCkADYWcyWx8FHc2WYrwThYYo7W5yrF
 0Gs8EWnfP12D9xg+H20M9+PASAjQEkuCrqge6DdgXfePrYnV4FMZqz8+sGZ+rQhleQDt
 a+7lxFG9w+DcxNucj1EmfQmqutjSvSZERm120L2Duaa9dtuQ70wFVqkIen3h3hWcPhD1
 HLiITNWT2OO302fYvvo65R7t/GoufHRilgOCyHJNCuUmsp0u2YhwFHTmrHqDgQym3+9c
 7IDZ8MtxksiqDJB2RbKPzFA956RRp0GMy5y1ATD0eGDMf4IP0WQDB/SD7UX/jQaP46SW
 UZaA==
X-Gm-Message-State: AIkVDXLDvmFnUf4GmQSYJJPwSXEXGy620h85PTe3lU/cY9alDc6y9DJLsqnzZd7GzpV191QzdVRxUtO49VsFpQ==
X-Received: by 10.200.47.152 with SMTP id l24mr30189870qta.212.1483034992465; 
 Thu, 29 Dec 2016 10:09:52 -0800 (PST)
MIME-Version: 1.0
References: <B0C8AC1D-340A-4EF9-A862-FEA3A2AE37E4@up4.com>
 <CAGBxaXmv1pD1Lib76jzU+7OntT7i50xmV6LmxYjjmOYYrmD8UA@mail.gmail.com>
 <EFADB4DF-5779-4228-8A22-2E336B4E46D4@up4.com>
 <CAGBxaXnEs9n1DMET3y58ZouRnizj5Xn8yW1r_qr7tBiL0DgaNg@mail.gmail.com>
In-Reply-To: <CAGBxaXnEs9n1DMET3y58ZouRnizj5Xn8yW1r_qr7tBiL0DgaNg@mail.gmail.com>
From: Matt Churchyard <churchers@gmail.com>
Date: Thu, 29 Dec 2016 18:09:42 +0000
Message-ID: <CANV9Nzm36Uf1=DiWbOphQe4suQ9SrGjU=zgChWfLTp7FZWATfQ@mail.gmail.com>
Subject: Re: Multiple bhyve Guests, Single bridge/tap?
To: Aryeh Friedman <aryeh.friedman@gmail.com>,
 Vincent Olivier <vincent@up4.com>
Cc: "freebsd-virtualization@freebsd.org" <freebsd-virtualization@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.23
X-BeenThere: freebsd-virtualization@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Discussion of various virtualization techniques FreeBSD supports."
 <freebsd-virtualization.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-virtualization>, 
 <mailto:freebsd-virtualization-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-virtualization/>
List-Post: <mailto:freebsd-virtualization@freebsd.org>
List-Help: <mailto:freebsd-virtualization-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-virtualization>, 
 <mailto:freebsd-virtualization-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Dec 2016 18:09:53 -0000

As mentioned a bridge is the virtual equivalent of a switch. It only really
makes sense to have more than one bridge if you have more than one
interface on your guest(s), and want to connect those interfaces to
separate networks. (Or you want some guests on a different network,
possibly bridged to a different physical interface).

If you want to provide complete network separation between guests, it's
much easier to just use the 'private' option to ifconfig when bridging the
guest's tap interface. Any bridge member set to private can not talk to any
other private bridge member. Of course this is only really applicable in
multi-tenant situations like Aryeh says. If they are all your own guests,
the fact that they can see each other on the network should hopefully be a
non-issue.

Matt

On Thu, 29 Dec 2016 at 15:26, Aryeh Friedman <aryeh.friedman@gmail.com>
wrote:

> On Thu, Dec 29, 2016 at 10:19 AM, Vincent Olivier <vincent@up4.com> wrote:
>
>
>
> > Hi!
>
> >
>
> > > Use the same bridge but a different tap (each tap represents the
> virtual
>
> > equivalent of a NIC where the bridge is the virtual equivalent of a hub)
>
> >
>
> >
>
> > Thanks! This is very clear. For extra isolation, could I use a new bridge
>
> > too or is that useless?
>
> >
>
>
>
> Yes but it only makes sense in a multi-tenant (aka cloud provider) setup
>
> because any attacker on a VM should be assumed to able to get into the host
>
> due to knowing your password (which typically is not all that different on
>
> the two machines unless you randomly generated it).
>
>
>
> --
>
> Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org
>
> _______________________________________________
>
> freebsd-virtualization@freebsd.org mailing list
>
> https://lists.freebsd.org/mailman/listinfo/freebsd-virtualization
>
> To unsubscribe, send any mail to "
> freebsd-virtualization-unsubscribe@freebsd.org"
>
>