On 13/05/10 01:29 PM, sowmini.varad...@oracle.com wrote:
On (05/13/10 13:25), Edward Pilatowicz wrote:
Currently, none, though the "only ipv4 specified implies ipv6-addrs
are forbidden" approach solves that. In retrospect, that choices
seems simpler and cleaner. Is that preferable?
i think so.
Ok, I'll send out an updated spec (that also incorporates Girish's
feedback) later this week.
- can exclusive stack zones manipulate mac addresses on network
interfaces?
yes- they can use 'ifconfig .. ether<..>'.
.. the address property only clamps dow the IP address,
and makes no promises about the mac address associated with the IP address.
given that one of the motivation for this work is to prevent zones from
using addresses they shouldn't (and there by being capable of DOS-ing
hosts using those addresses) it seems like we should have a zonecfg
mechanism that prevents mac address manipulation. i don't know if that
should be bundled in with this proposed IP limiting mechanism (ie. if a
user specifies an IP address the mac would automatically be locked down)
or if there should be a seperate knob to control this. thoughts?
Rishi Srivatsavai is looking into the work entailed to have mac-nospoof
enabled for NGZ by default.. just talked to Rishi, and I think it makes
sense, as part of that work, to also ensure that the mac address cannot
be changed by ifconfig.
It really doesn't matter what controls you put on changing any
address via ifconfig if hostile behaviour is your concern. As long
as I can open a raw socket for a NIC, I can pump whatever I like
down the wire. To that end, the "allowed-ips" and "mac-nospoof"
filtering in mac are required to prevent hostile behaviour from
the local zone because they both actively filter all packets
transmitted out of the NIC. This is why I earlier asked about
whether or not net-rawaccess could be revoked for such zones.
Darren
_______________________________________________
opensolaris-arc mailing list
opensolaris-arc@opensolaris.org
