Garrett D'Amore
[email protected]
On Jun 11, 2012, at 11:50 AM, Jim Klimov wrote:
> 2012-06-11 18:19, Dan McDonald wrote:
>> The fundamental question is always: What problem are you really trying to
>> solve?
>
> Okay, I found another rationale beside performance and simplified
> intra-zone routing (though not as apparent as exclusive routing).
> It seems that the shared IP stack offer better protection against
> sniffing on colocated environments (i.e. zone-based hosting): it
> is not allowed to use promiscuous mode on NIC aliases used in the
> shared stack, while sniffing does work on exclusive VNICs.
>
> That might be a serious difference in some cases...
As Robert already indicated, it doesn't matter because the traffic you see in
that case is only the traffic that you should see. Still, if you prefer to
disable promiscuous mode, that could easily be made a tunable -- there is
nothing magic here, and a NIC must have explicit logic for promiscuous mode --
it would be relatively trivial to simply refuse to enable promiscuous mode on a
NIC.
That said, I have a hard time seeing what that buys you. If you have root on
the zone, you can look at the traffic likely to be seen anyway, without needing
promiscuous mode. Snoop even offers a non-promiscuous mode mode, which can be
very helpful.
Perhaps a more valuable feature would be a way to prevent streams other than IP
itself connecting to the nic. I.e. a special mode of plumbing available only
to the TCP/IP stack, and a way to disable any other ways to push packets up to
userland. (Disabling DLPI for example, although that isn't sufficient.)
But again, we typically assume that with a separate IP stack per zone, a zone
administrator (root within the zone typically) should be able to see and do
anything that the zone would be able to do. The isolation guarantees are made
in the hypervisor, to isolate the zone rather than to isolate functionality
*within* the zone.
- Garrett
>
> HTH,
> //Jim Klimov
>
>
> -------------------------------------------
> illumos-discuss
> Archives: https://www.listbox.com/member/archive/182180/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/182180/22003744-45f01c1f
> Modify Your Subscription: https://www.listbox.com/member/?&;
> Powered by Listbox: http://www.listbox.com
-------------------------------------------
illumos-discuss
Archives: https://www.listbox.com/member/archive/182180/=now
RSS Feed: https://www.listbox.com/member/archive/rss/182180/21175430-2e6923be
Modify Your Subscription:
https://www.listbox.com/member/?member_id=21175430&id_secret=21175430-6a77cda4
Powered by Listbox: http://www.listbox.com
