On Thu, May 13, 2010 at 01:29:20PM -0700, sowmini.varad...@oracle.com wrote: > > > > - can exclusive stack zones manipulate mac addresses on network > > > > interfaces? > > > > > > yes- they can use 'ifconfig .. ether <..>'. > > > .. the address property only clamps dow the IP address, > > > and makes no promises about the mac address associated with the IP > > > address. > > > > > > > given that one of the motivation for this work is to prevent zones from > > using addresses they shouldn't (and there by being capable of DOS-ing > > hosts using those addresses) it seems like we should have a zonecfg > > mechanism that prevents mac address manipulation. i don't know if that > > should be bundled in with this proposed IP limiting mechanism (ie. if a > > user specifies an IP address the mac would automatically be locked down) > > or if there should be a seperate knob to control this. thoughts? > > Rishi Srivatsavai is looking into the work entailed to have mac-nospoof > enabled for NGZ by default.. just talked to Rishi, and I think it makes > sense, as part of that work, to also ensure that the mac address cannot > be changed by ifconfig. >
sounds good to me. thanks. ed _______________________________________________ opensolaris-arc mailing list opensolaris-arc@opensolaris.org