Darren Reed wrote:
> I would have liked to have seen this gap filled with the delivery
> of stack instances but you don't see it as a pressing need?
I don't see it as a show-stopper.
FWIW the project ws renamed to "IP Instances" a while back.
> The use-case model that we got a lot of questions about was when
> people wanted to consolidate servers from a real network into a
> single box, there was no way to control what happens between zones.
>
> Moving to stack instances and delegating root authority to groups
> that aren't necessarily trusted, we're perpetuating the same problem
> whereby we're losing the ability to enforce a network security
> policy on the "host" in question.
>
> Or to put it more clearly, if I today have 2 boxes connected via
> a firewall, if I consolidate them onto 1 host with zones then I
> need pfhooks to bring the firewall into the hosting server.
>
> Roll the clock forward, if I give each of those two zones its
> own stack instance, that firewall capability disappears.
I think that is a misunderstanding.
IP Instances solves the problem when zone A wants to use e.g. bge1 and
zone B wants to use bge2, with IP-level isolation between them. (It
could also be two different VLAN interfaces on e.g. bge0,)
In that case there is NO IP communication between bge1 and bge2 inside
the box; each zone sends out on its network interface.
*If* the network admin wants to provide restricted communication between
zone A and zone B that is done outside the box, with a router, firewall,
or whatever network device would be used if zone A and zone B where
separate servers.
> Are you saying here that the current hooks should be moved from inside
> IP to be inside GLD? Or to add additional hooks in GLD?
The latter.
> And when you say inside GLD, do you have any thoughts on if it should
> be inside the MAC code or inside the DLS code?
I have no opinion on that, at least not at the moment.
> My view here was that there would be a single instance of a global policy
> that could be selectively applied to a zone that has an exclusive stack
> instance. The view that I'm using here is that the global zone is more of
> a provider of services to the individual zones than an actual machine
> itself.
But that approach does nothing for the Xen and LDOMs cases.
Erik
