Thank you Erik and James for the discussion.
On Tue, Nov 17, 2009 at 3:44 PM, Erik Nordmark <[email protected]> wrote:
> Peter Teoh wrote:
>
>> wow....each netstack for each IP zone? what is the purpose? at the
>> kernel level, everyone can see and modify each other right? so I don't
>> think it is for privilege segregation - in the security sense? sorry for
>> the newbie question, i will read into these documentation.....slowly :-).
>
> The purpose is to isolate the IP traffic for different exclusive IP zones.
I see. My present h/w is AMD quad-core CPU, and two NIC, and one
zone (default) so far:
doing a mdb -k:
> ::squeue
ADDR STATE CPU FIRST LAST WORKER
ffffff02d7cbdac0 00320 0 0000000000000000 0000000000000000 ffffff0010818c60
ffffff02d7cbdb80 00320 2 0000000000000000 0000000000000000 ffffff00107eec60
ffffff02d7cbdc40 00820 3 0000000000000000 0000000000000000 ffffff000fa03c60
ffffff02d7cbdd00 00820 2 0000000000000000 0000000000000000 ffffff000f9a3c60
ffffff02d7cbddc0 00820 1 0000000000000000 0000000000000000 ffffff000f92dc60
ffffff02d7cbde80 00820 0 0000000000000000 0000000000000000 ffffff000f579c60
> ffffff02d7cbde80::whatis
ffffff02d7cbde80 is ffffff02d7cbde80+0, allocated from squeue_cache
> ffffff02d7cbddc0::whatis
ffffff02d7cbddc0 is ffffff02d7cbddc0+0, allocated from squeue_cache
>
note sure what the above data structures correspond to? squeues?
but it does not mapped to per-CPUs concept?
similarly for this:
> ::netstack
ADDR STACKID FLAGS
ffffff02d2ca0a40 0 000000
> ffffff02d2ca0a40::whatis
ffffff02d2ca0a40 is ffffff02d2ca0a40+0, allocated from kmem_alloc_256
perhaps there is only one zone so far?
> We've seen many cases where there is a need to consolidate servers that are
> connected to different VLANs (or different LANs) on the same system. The
> exclusive-IP zones enable that by providing the equivalent of an "IP airgap"
> - there is no way for IP packets (or ARP packets) to cross from one
> exclusive-IP zone to another, and all the modifiable data structures in the
> TCP/IP stack are separate for each exclusive-IP zone.
>
> The fact that the kernel can write all over all of physical memory doesn't
> impact this; even with a hypervisor as in Xen the hypervisor can write all
> of physical memory. In both cases we try to write software that doesn't
> scribble over memory. The applications, including for uid=0, can not read or
> write TCP/IP datastructures that are part of a different exclusive-IP zone.
>
> In OpenSolaris with the vnic support this can also be used to build a
> network in a box (defining etherstubs and vnics and connecting them together
> with some exclusive-IP zones being routers, others being firewalls, and then
> with applications running on yet other ones.) This is very powerful for
> testing; I can run a dozen exclusive-IP zones on an old laptop.
>
> Erik
Sorry about this question....so for each VNIC u will have one IP
instance, which is one netstack, correct?
>
--
Regards,
Peter Teoh
_______________________________________________
networking-discuss mailing list
[email protected]
