- In 2014, this change to Nova was introduced https://review.openstack.org/#/c/74600/. That worked with TUNNELLED migration, because, at that time, the libvirt version used was 0.9.6 (out in SEP 2011) which used a *different* migration scheme (QEMU 'migrate -b' HMP command) under the hood -- in this method, QEMU used a single stream for both memory and storage copying. (It's worth noting that the old-way of migration ('migrate -b') approach is now legacy.) - With libvirt release of 1.0.3 (out in MAR 2013), it switched to a *new* migration scheme under the hood (NBD + QEMU 'drive_mirror' QMP command[1][2]). With this introduction of NBD-based migration, there are two data streams (one for memory, the other for disks), but libvirt was yet not taught how to multiplex two streams into one -- consequently, TUNNELLED (which can only deal with single stream) libvirt migration fails. IIUC, as noted, danpb's in-progress upstream QEMU work "Universal encryption on QEMU I/O channels"[3] will eventually allow secure non-tunnelled migration to work. [1] http://wiki.libvirt.org/page/NBD_storage_migration [2] http://libvirt.org/git/?p=libvirt.git;h=7b7600b -- qemu_migration: Introduce qemuMigrationDriveMirror [3] https://lists.gnu.org/archive/html/qemu-devel/2015-02/msg00529.html -- Written on 8-APR-2015