On Fri, May 05, 2006 at 05:23:06PM -0700, Mike Ditto wrote: > Peter Memishian wrote On 05/05/06 16:47,: > > > Should there be a different privilege for observing loopback vs. > > > non-loopback traffic? > > > >We're not sure -- we've asked for Casper's thoughts on > >PRIV_NET_OBSERVABILITY as a whole, but he's on vacation at the moment. > > Although I'm not sure, either, it's a very good question. Crossbow > is another project that will emphasize and proliferate the concept of > intra-machine traffic moving across internal virtual links, and it > does seem that there are very different security risks between that > and traditional networking. (I'm not saying that virtual links have > greater risks, just that they are so substantially different that > very different privileges are appropriate to observe them. Because > I may trust some data to move in the clear between zones/domains that > I wouldn't place in the clear on a wire, I may trust some people to > snoop at the wire who I don't want snooping my in-memory virtual > links.)
Loopback traffic is substantially different from non-loopback is this way: Noone wants to bother with crypto over loopback -- that's a waste of resources. The converse, that one badly wants to bother with crypto over non-loopback follows from the assumption that anything other than loopback is not secure from eavesdroppers. I'd like us to be able to push this assumption to its limit: make the system configurable so any local user can snoop non-loopback traffic, and *only* non-loopback traffic. Nico -- _______________________________________________ networking-discuss mailing list [email protected]
