Re: Should jail treat ip-number?
In message [EMAIL PROTECTED], Yoshinobu Inoue writes: -Only think about inet and inet6. Forget about other protocol family and sockaddr. (Just as current jail only think about inet.) This has basically been the policy until now: Don't worry about a protocol until somebody needs it. -Just add an in6_addr structure(IPv6 address) member "ip6_number" into the jail structure. -Jail(2) specify "ip_number" and/or "ip6_number" into the kernel. Well, I guess we want it to be "and", right ? Will people want to bind both a IPv4 and IPv6 address (does it make sense to do so ?) or will people only need to bind one of them ? -Kernel treat "ip6_number" as just a same kind of extension for IPv6 as "ip_number" for IPv4. I'm not against them being sockaddr's. -Jail(8) command can also accept DNS name, and then it resolve the name internally and, if A record is obtained, specify its address into "ip_number". if record is obtained, also specify its address into "ip6_number". Sure, this is trivial to do. -- Poul-Henning Kamp FreeBSD coreteam member [EMAIL PROTECTED] "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
Yoshinobu Inoue wrote: -As already commented, checking those addresses which already specified by other jail'ed processes is necessary. I disagree. The address is specified by the admin of the machine. Letting him shoot himself in the foot is not particular bad, and the test can be performed by the userland tools used to manage the machine. solution: Don't specify addresses via jail(2), and let kernel select any non binded address. Loop in_ifaddr list and try in_pcblookup_hash() for each of addresses, just as in_pcbbind does it to search for non binded port. A weak point of this solution is that processes in a same jail won't be necessariliy binded to a same address, but does it matters? Ok, question: I "buy" a virtual server on the machine to run an internet daemon of mine. I need the IP to that server to access the daemon. How do the admin of the machine ensures that _my_ jail will have the fixed IP assigned to me always with your solution? -- Daniel C. Sobral(8-DCS) [EMAIL PROTECTED] [EMAIL PROTECTED] "Then again maybe not going to heaven would be a blessing. Relkin liked a certain amount of peace and harmony, since there'd been a pronounced shortage of them in his own life; however, nothing but peace and harmony, forever and forever? He wasn't sure about that. And no beer? Very dubious proposition." To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
Poul-Henning Kamp wrote: -Jail(2) specify "ip_number" and/or "ip6_number" into the kernel. Well, I guess we want it to be "and", right ? Will people want to bind both a IPv4 and IPv6 address (does it make sense to do so ?) or will people only need to bind one of them ? What about multiple IPv6 or IPv4 addresses per jail? It might be a good idea while Inoue-san is at it. Or is this an incredibly stupid question? Cheers, Jeroen -- Jeroen C. van Gelderen - [EMAIL PROTECTED] Interesting read: http://www.vcnet.com/bms/ JLF To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
Poul-Henning Kamp wrote: -Jail(2) specify "ip_number" and/or "ip6_number" into the kernel. Well, I guess we want it to be "and", right ? Will people want to bind both a IPv4 and IPv6 address (does it make sense to do so ?) or will people only need to bind one of them ? What about multiple IPv6 or IPv4 addresses per jail? It might be a good idea while Inoue-san is at it. Or is this an incredibly stupid question? I don't know how technically difficult it would be to allow multiple IPv4 and IPv6 addresses per jail, but I can think of a few very good things to do with it. I spend a fair amount of time playing with routing protocols and it would be wonderful to be able to create jailed version of gated/zebra/rodscode on the same box and watch them interact. It would probably cut the size of my hardware lab used for this now in half or maybe even quarter it! -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
-Jail(2) specify "ip_number" and/or "ip6_number" into the kernel. Well, I guess we want it to be "and", right ? Will people want to bind both a IPv4 and IPv6 address (does it make sense to do so ?) or will people only need to bind one of them ? I also think it is "and", but maybe some time some application just use one of them and specify another familiy's addr as null. So I used "and/or". What about multiple IPv6 or IPv4 addresses per jail? It might be a good idea while Inoue-san is at it. Or is this an incredibly stupid question? I don't know how technically difficult it would be to allow multiple IPv4 and IPv6 addresses per jail, but I can think of a few very good things to do with it. I spend a fair amount of time playing with routing protocols and it would be wonderful to be able to create jailed version of gated/zebra/rodscode on the same box and watch them interact. It would probably cut the size of my hardware lab used for this now in half or maybe even quarter it! I'm not sure if multiple addrs for each address familiy will be useful or not. But at least, I think several other change(e.g. kernel routing table implementation change, or prepare several virtual ones on user-land) will also be necessary for several instances of each routing protocol implementation to operate on a system. -Kernel treat "ip6_number" as just a same kind of extension for IPv6 as "ip_number" for IPv4. I'm not against them being sockaddr's. I think it depends on if we allow multiple addrs per address family. If we don't allow it, I think sockaddr is not better, because, -Need to explicitely forbid multiple same families specification(e.g. either of sockaddr is AF_INET) as API. -Kernel side also need to check (1) case, and do some additional work. (return error, or prefer the former or the latter) -When more sockaddr's are added in the future, things will be more complicated. If we allow it(multiple addrs per address family), then I think sockaddr list pointer member, and total sockaddr's number member should be added, and they are searched in prison_ip(), prison_ip6() or such like that in kernel. But again, I'm not sure how multiple addrs per address family is useful. If explicit needs for "multiple addrs per address family" are not clear now, I would like to try to implement just adding ip6_number member for this time. Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
-Jail(2) specify "ip_number" and/or "ip6_number" into the kernel. Well, I guess we want it to be "and", right ? Will people want to bind both a IPv4 and IPv6 address (does it make sense to do so ?) or will people only need to bind one of them ? I also think it is "and", but maybe some time some application just use one of them and specify another familiy's addr as null. So I used "and/or". What about multiple IPv6 or IPv4 addresses per jail? It might be a good idea while Inoue-san is at it. Or is this an incredibly stupid question? I don't know how technically difficult it would be to allow multiple IPv4 and IPv6 addresses per jail, but I can think of a few very good things to do with it. I spend a fair amount of time playing with routing protocols and it would be wonderful to be able to create jailed version of gated/zebra/rodscode on the same box and watch them interact. It would probably cut the size of my hardware lab used for this now in half or maybe even quarter it! I'm not sure if multiple addrs for each address familiy will be useful or not. Just about anything usefull in a non jailed world is useful in a jailed world. Other applications for this would be a jailed NAT router, ability to jail our dual homed DNS and web services where everything is fully redundant right down to dual nics in every box, dual switches and 2 IP's on seperate blocks with DNS running on 2 boxes at 4 IP's. We do things for Telco's and they are really big into redundancy by dualality, and that means 2 IP's inside a jail, or 2 jails. But at least, I think several other change(e.g. kernel routing table implementation change, or prepare several virtual ones on user-land) will also be necessary for several instances of each routing protocol implementation to operate on a system. Your correct, I had not taken that thought far enough to think about the fact that the kernel routing table is a shared resouce. Is it protected from modification by a jailed process? -Kernel treat "ip6_number" as just a same kind of extension for IPv6 as "ip_number" for IPv4. I'm not against them being sockaddr's. I think it depends on if we allow multiple addrs per address family. If we don't allow it, I think sockaddr is not better, because, -Need to explicitely forbid multiple same families specification(e.g. either of sockaddr is AF_INET) as API. -Kernel side also need to check (1) case, and do some additional work. (return error, or prefer the former or the latter) -When more sockaddr's are added in the future, things will be more complicated. If we allow it(multiple addrs per address family), then I think sockaddr list pointer member, and total sockaddr's number member should be added, and they are searched in prison_ip(), prison_ip6() or such like that in kernel. But again, I'm not sure how multiple addrs per address family is useful. If explicit needs for "multiple addrs per address family" are not clear now, I would like to try to implement just adding ip6_number member for this time. I think that this is probably the best path at this time. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
I'm not against adding IPv6 functionality to jail(2), my point is merely that until somebody who has sufficient time ability to fiddle with it does it, it's not going to happen. The usual rule applies: "Great idea, why don't you send me patches which does this ?" OK, then I'll try making patches and send you. My current Idea is that adding a new member, a pointer to sockaddr to the jail structure, and leave current ip_number member for backward compatibility. (Also with associated changes in kernel and the jail command) There's been a discussion a few weeks ago on freebsd-security on this very matter. See attached mail below. The conclusion was that jail(2) should be fixed to use a sockaddr instead of a 32 bit int to specify the address. That seems to be the first logical step, even before making jail(2) IPv6-compliant. In implementing jail sockaddr extension trial, I found some problems, and now have an possible solution. problems: -Any process in a jail might want to use several protocol families at the same time. So jail(2) need to specify every adress of those possible address families. (AF_INET, AF_INET6, AF_IPX, AF_APPLETALK, and so on) To do this, jail structure need to have not only a sockaddr but several sockaddrs list, and they are specified via jail(2). But I don't like such a extension, because, -It is complicated. Error checking will be diffcult. -User interface will also become complicated, and difficult to use. -As already commented, checking those addresses which already specified by other jail'ed processes is necessary. solution: Don't specify addresses via jail(2), and let kernel select any non binded address. Loop in_ifaddr list and try in_pcblookup_hash() for each of addresses, just as in_pcbbind does it to search for non binded port. A weak point of this solution is that processes in a same jail won't be necessariliy binded to a same address, but does it matters? Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
In message [EMAIL PROTECTED], Yoshinobu Inoue writes: solution: Don't specify addresses via jail(2), and let kernel select any non binded address. No, that doesn't work. People want to run servers so they want to know their IP for DNS. A weak point of this solution is that processes in a same jail won't be necessariliy binded to a same address, but does it matters? Yes, that also matters, this is a administrative facility. -- Poul-Henning Kamp FreeBSD coreteam member [EMAIL PROTECTED] "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
solution: Don't specify addresses via jail(2), and let kernel select any non binded address. No, that doesn't work. People want to run servers so they want to know their IP for DNS. Hmmm, I wish if I could just let jail(2) pass DNS name into the kernel, but the implementation in the kernel won't be easy nor clean Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
Don't specify addresses via jail(2), and let kernel select any non binded address. No, that doesn't work. People want to run servers so they want to know their IP for DNS. Hmmm, I wish if I could just let jail(2) pass DNS name into the kernel, but the implementation in the kernel won't be easy nor clean Then I have a new proposal which might not be so clean but I think it is somewhat practical. -Only think about inet and inet6. Forget about other protocol family and sockaddr. (Just as current jail only think about inet.) -Just add an in6_addr structure(IPv6 address) member "ip6_number" into the jail structure. -Jail(2) specify "ip_number" and/or "ip6_number" into the kernel. -Kernel treat "ip6_number" as just a same kind of extension for IPv6 as "ip_number" for IPv4. -Jail(8) command can also accept DNS name, and then it resolve the name internally and, if A record is obtained, specify its address into "ip_number". if record is obtained, also specify its address into "ip6_number". Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
In message [EMAIL PROTECTED] Ollivier Robert writes: : NAT breaks too many things (like IPsec, incoming connections and many : protocols) to be anything else than an abomination in my eyes. It breaks any protocol that encodes an IP address and/or a port into the data stream. Without datastream snooping and translation, talk, ftp real autio and a few others would break. When I was working on TIA (a commercial SLIRP-like program) we ran into these problems all the time. As soon as we put in upgrades for a recently released protocol, a new one would come along, or an old one would break in subtle ways (eg, we did the translation when we had no business doing the translation) leading to configuration nightmares. When it worked it was cool, when it didn't... This is why you can't, for example, NAT China :-) Warner To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
According to H. Eckert: Actually I like the fact very much that I can put my other machines behind my NAT gateway and have them not exposed too NAT breaks too many things (like IPsec, incoming connections and many protocols) to be anything else than an abomination in my eyes. YMMV of course. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- [EMAIL PROTECTED] FreeBSD keltia.freenix.fr 4.0-CURRENT #75: Tue Nov 2 21:03:12 CET 1999 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
Ollivier Robert wrote: According to Ted Faber: If you're using OSI and betting on IPv6 in the near term, you may be rowing for the wrong shore. :-) It is more complicated than that. The _current_ equipment is not using anything (neither OSI nor IPv6). There is currently no datalink between ground and airplanes ??? I thought SITA used some parts of the OSI model for their data transmitting system, I installed such station here in Iceland 10 years ago and the technician told me that it worked very similar to radio amateur packet, AX25, which is OSI model application. Am I right, or not following ? It is the next generation (the one for the next century) where some people want to put OSI on ! They have been working for more than 12 years to get OSI working and they still haven't succeeded... -- Thordur Ivarsson To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
[ getting off-topic, redirected to -chat ] According to Thordur Ivarsson: ??? I thought SITA used some parts of the OSI model for their data transmitting system, I installed such station here in Iceland 10 years ago and the technician told me that it worked very similar to radio amateur packet, AX25, which is OSI model application. For the SITA network probably but not for air-ground communications. Nothing close to a datalink is operational right now. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- [EMAIL PROTECTED] FreeBSD keltia.freenix.fr 4.0-CURRENT #75: Tue Nov 2 21:03:12 CET 1999 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
In message [EMAIL PROTECTED], John Hay writes: My concerns are, (1)When IPv6 is added to the system, more general id would be desirable. I agree, *IF* IPv6 ever becomes a reality, we will look at this. So when will you consider that it became a reality? :-) Or am I just dreaming that some operating systems and routers ship with IPv6 and that IANA, ARIN, APNIC and RIPE are dishing out IPv6 addresses and that we are in the process of getting Kame integrated into FreeBSD? :-) Once I have 50% or more of my users using IPv6 I'll consider it a reality. So far IPv6 has gotten no futher than OSI ever did. -- Poul-Henning Kamp FreeBSD coreteam member [EMAIL PROTECTED] "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
My concerns are, (1)When IPv6 is added to the system, more general id would be desirable. I agree, *IF* IPv6 ever becomes a reality, we will look at this. So when will you consider that it became a reality? :-) Or am I just dreaming that some operating systems and routers ship with IPv6 and that IANA, ARIN, APNIC and RIPE are dishing out IPv6 addresses and that we are in the process of getting Kame integrated into FreeBSD? :-) Once I have 50% or more of my users using IPv6 I'll consider it a reality. hehehe, but your users will not move to IPv6, because they will say: "We are used to being able to use jail on IPv4 and you say we must wait until there is more than 50% of us using IPv6 before we will get jail for IPv6?". :-) And we can substitute whatever functionality for jail. If we want people to even think of moving to IPv6 we will have to make as much of FreeBSD's functionality work on there as possible. So far IPv6 has gotten no futher than OSI ever did. I think I was lucky to have mostly been screened from OSI, so I can't really compare them. IPv6 seem quitealive to me though. John -- John Hay -- [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
In message [EMAIL PROTECTED], John Hay writes: If we want people to even think of moving to IPv6 we will have to make as much of FreeBSD's functionality work on there as possible. I personally do not see IPv6 as being desirable at this time. It suffers from second systems syndrome and doesn't provide any benefit for the end-user so there is no incentive for users to upgrade. So far IPv6 has gotten no futher than OSI ever did. I think I was lucky to have mostly been screened from OSI, so I can't really compare them. IPv6 seem quitealive to me though. Ohh, OSI was quite a live for a long time as well, until the government funded life-support was cut, then it evaporated overnight. -- Poul-Henning Kamp FreeBSD coreteam member [EMAIL PROTECTED] "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
I agree, *IF* IPv6 ever becomes a reality, we will look at this. So when will you consider that it became a reality? :-) Or am I just dreaming that some operating systems and routers ship with IPv6 and that IANA, ARIN, APNIC and RIPE are dishing out IPv6 addresses and that we are in the process of getting Kame integrated into FreeBSD? :-) When there are several Internet Exchange points with routers using non-tunneled IPv6, exchanging significant traffic? Steinar Haug, Nethelp consulting, [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
In message [EMAIL PROTECTED], Jamie Bowden writes: -security stripped On Tue, 9 Nov 1999, Poul-Henning Kamp wrote: :In message [EMAIL PROTECTED], Yoshinobu Inoue writes: :(2)What is the goal of the restriction? :To isolate people in the jail from the "real" machine and from :other jails. What does jail do that chroot doesn't? I've seen several discussions on jail on -hackers, but no explanation of why it was implemented, or how it's different from chroot. 1. All tcp/ip forced to use a particular IP#. This allows you to have several inetd/sendmail/apache running, one per jail. 2. Many things which root can normally do cannot be done if root is jailed. -- Poul-Henning Kamp FreeBSD coreteam member [EMAIL PROTECTED] "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
I agree, *IF* IPv6 ever becomes a reality, we will look at this. Actually I just started to import KAME into freebsd-current, and found jail code in kernel pcb part. If we want people to even think of moving to IPv6 we will have to make as much of FreeBSD's functionality work on there as possible. Just from same reason, I would like to make IPv6 available also for jail functionality. I personally do not see IPv6 as being desirable at this time. It suffers from second systems syndrome and doesn't provide any benefit for the end-user so there is no incentive for users to upgrade. But there is also some people like me who think IPv6 give several benefit for the end-user that IPv4 can't give. Then do you think even such people should not update jail to support IPv6? :(2)What is the goal of the restriction? :To isolate people in the jail from the "real" machine and from :other jails. 1. All tcp/ip forced to use a particular IP#. This allows you to have several inetd/sendmail/apache running, one per jail. My imagination was poor, and thanks for your explanation. Now I have a new concern and comment. (1)It seems to me that once an IP# is specified for a jail, then that IP# should not be re-specified for another jail. Is this true? (2)If (1) is true, then number of jail is restricted to the number of IP address assigned to that machine. Then IPv6 support for jail should be very good thing, because extremely many IP addresses become available for a machine with IPv6. (which is not with IPv4) Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
In message [EMAIL PROTECTED], Yoshinobu Inoue writes: (1)It seems to me that once an IP# is specified for a jail, then that IP# should not be re-specified for another jail. Is this true? Generally yes, although nothing in the code tries to (nor should it try to) enforce it. (2)If (1) is true, then number of jail is restricted to the number of IP address assigned to that machine. Then IPv6 support for jail should be very good thing, because extremely many IP addresses become available for a machine with IPv6. (which is not with IPv4) I'm not against adding IPv6 functionality to jail(2), my point is merely that until somebody who has sufficient time ability to fiddle with it does it, it's not going to happen. The usual rule applies: "Great idea, why don't you send me patches which does this ?" -- Poul-Henning Kamp FreeBSD coreteam member [EMAIL PROTECTED] "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
I'm not against adding IPv6 functionality to jail(2), my point is merely that until somebody who has sufficient time ability to fiddle with it does it, it's not going to happen. The usual rule applies: "Great idea, why don't you send me patches which does this ?" OK, then I'll try making patches and send you. My current Idea is that adding a new member, a pointer to sockaddr to the jail structure, and leave current ip_number member for backward compatibility. (Also with associated changes in kernel and the jail command) Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
In message [EMAIL PROTECTED] Jamie Bowden writes: : What does jail do that chroot doesn't? I've seen several discussions on : jail on -hackers, but no explanation of why it was implemented, or how : it's different from chroot. It restricts root's ability to do things which would otherwise allow, amoung other things, it to climb out of a chroot'd directory. It also doesn't allow root to create device entries, which helps to keep your data safer. Warner To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
According to Poul-Henning Kamp: I personally do not see IPv6 as being desirable at this time. I see it as very desirable now for several reasons besides the usual ones (shortage of address space, explosion of routing tables): - it provides true mobility (still in the works I know), - the larger address space enables one to avoid the NAT abomination, - security is mandatory (even if many people don't wand the overhead), - autoconfiguration is really great Ohh, OSI was quite a live for a long time as well, until the government funded life-support was cut, then it evaporated overnight. OSI is still present in two major areas: telecom systems (GSM, supervision of the same) and Aeronautical systems (Air Traffic Management / Control). I work in the latter and we're pushing IPv6 as much as we can. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- [EMAIL PROTECTED] FreeBSD keltia.freenix.fr 4.0-CURRENT #75: Tue Nov 2 21:03:12 CET 1999 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ollivier Robert wrote: OSI is still present in two major areas: telecom systems (GSM, supervision of the same) and Aeronautical systems (Air Traffic Management / Control). I work in the latter and we're pushing IPv6 as much as we can. Suddenly I'm in no hurry to fly home for Christmas. If you're using OSI and betting on IPv6 in the near term, you may be rowing for the wrong shore. :-) - -- Ted Faber[EMAIL PROTECTED] USC/ISI Computer Scientist http://www.isi.edu/~faber (310) 822-1511 x190PGP Keys: http://www.isi.edu/~faber/pubkeys.asc -BEGIN PGP SIGNATURE- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBOCi9Y2lM93/mX/l7EQI5swCg6AgEJPqAHqnPA1s2OJKaZE5HYLoAnR23 QJBSbNTC581g7Her6bQ3Z1IQ =84rw -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
On Tue, Nov 09, 1999 at 12:54:45PM +0900, Yoshinobu Inoue wrote: Currentlly jail set an ip-number and let prisoned processes only to bind it. [ the current jail(2) interface and its future WRT IPv6 ] I think kernel change will not so much for any above addition or changes, but there will be some backword compatibility issue for API. (some member addition to the jail structure, and jail command extensions) There's been a discussion a few weeks ago on freebsd-security on this very matter. See attached mail below. The conclusion was that jail(2) should be fixed to use a sockaddr instead of a 32 bit int to specify the address. That seems to be the first logical step, even before making jail(2) IPv6-compliant. Pierre Date: Sun, 19 Sep 1999 11:58:39 -0400 (EDT) From: Garrett Wollman [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] To: Matthew Dillon [EMAIL PROTECTED] Cc: Poul-Henning Kamp [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: BPF on in 3.3-RC GENERIC kernel In-Reply-To: [EMAIL PROTECTED] References: [EMAIL PROTECTED] [EMAIL PROTECTED] On Sat, 18 Sep 1999 22:51:14 -0700 (PDT), Matthew Dillon [EMAIL PROTECTED] said: struct sockaddr is the standard for specifying an IP address. Jail isn't using it, not even for IPV4. It's using an unsigned 32 bit int. Hell, it isn't even using a struct in_addr! The field is plain and simply inappropriately specified in the structure. For once, I agree with Matt. As titular networking czar, I'm asking you, Poul, to please fix the interface. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same [EMAIL PROTECTED] | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
Then IPv6 support for jail should be very good thing, because extremely many IP addresses become available for a machine with IPv6. (which is not with IPv4) We have a number of machines with many thousands of IP addresses using the patch in PR#12071. It isn't as general a solution as using a hash table to lookup interface aliases (as in NetBSD or BSDI) but it is much more easy to manage one alias per CIDR block than 254 aliases per /24 (say). Tony. -- let it be dot at The patch is interesting and seems efficient, and same kind of fix for IPv6 might also work. But my point is that, on public internet environment where global IPv4 addr is necessary, there is another issue of actual IPv4 addr shortage, isn't it? Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
In message [EMAIL PROTECTED], Yoshinobu Inoue writes: Hello, I have some concern about jail, and would like to discuss them. Currentlly jail set an ip-number and let prisoned processes only to bind it. My concerns are, (1)When IPv6 is added to the system, more general id would be desirable. I agree, *IF* IPv6 ever becomes a reality, we will look at this. (2)What is the goal of the restriction? To isolate people in the jail from the "real" machine and from other jails. If physical level access protection is wanted, it isn't. -- Poul-Henning Kamp FreeBSD coreteam member [EMAIL PROTECTED] "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
I have some concern about jail, and would like to discuss them. Currentlly jail set an ip-number and let prisoned processes only to bind it. My concerns are, (1)When IPv6 is added to the system, more general id would be desirable. I agree, *IF* IPv6 ever becomes a reality, we will look at this. So when will you consider that it became a reality? :-) Or am I just dreaming that some operating systems and routers ship with IPv6 and that IANA, ARIN, APNIC and RIPE are dishing out IPv6 addresses and that we are in the process of getting Kame integrated into FreeBSD? :-) John -- John Hay -- [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Should jail treat ip-number?
Yoshinobu Inoue wrote: If explicit needs for "multiple addrs per address family" are not clear now, I would like to try to implement just adding ip6_number member for this time. I think sockaddrs are better because it allows you to change to multiple IP-support without changing the interface again. Or you can add IPX (whatever) support without disturbing existing applications... I'd say (but I'm not a real hacker) make jail accept a list of sockaddrs and -for now- disallow anything except a single IPv4 and a single IPv6 address in that list. I'm now pretty sure multiple IPs per jail is a good idea, but you can easily defer implementation to some point in the future... Cheers, Jeroen -- Jeroen C. van Gelderen - [EMAIL PROTECTED] Interesting read: http://www.vcnet.com/bms/ JLF To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message