--- Farid Hajji <[EMAIL PROTECTED]> wrote: > Of course, not every user should have full, > unrestricted access to a > network card. Why? If the card is used concurrently > by many users, and > an ethernet frame is received by the card, where > should this frame be > delivered to? In theory, it could be multiplexed > (copied) to every > network translator that is attached to it. This in > itself is not a > problem, but from a security point of view, it may > not be such a good > idea. Perhaps some frames are only destined to a > subset of > priviledged users? You don't want everyone sniffing > everything that > comes in, perhaps hijacking connections, etc... So > there is still need > for policies here. FreeBSD jails solve this > particular problem by > associating a single IP address to every jail and > demultiplexing > the incoming stream of IP packets based on the IP > address. In the > Hurd, another mechanism should be designed, which > could perhaps act > at a lower level (frames).
You probably want to look at http://www.tel.fer.hr/zec/papers/zec-03.pdf . Peter and I discussed exporting virtual interfaces to sub-hurds and bridging traffic (vlans anyone?) to them. The way BSD's jail works, ie. demuxing ip addresses to their respective jails, is somewhat defunct. The main argument for allowing sub-hurds to attach their own stacks is for protocol testing and development, in other words, you cant have the main hurd image care about the IPv4 and v6 address assigned to each sub-hurd, and the situation gets even worse when people start running ipx, atalk, etc.. in their own sub-hurds. Chaow, kotry __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com _______________________________________________ Help-hurd mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/help-hurd
