Nicolas Williams writes: > > That ignores both the datagram- versus connection-oriented issues > > (read and write are not at all the same as accept and connect), as > > well as the interesting wrinkles added by Zones. > > Not really. It says each datagram is like a connection with one-way > data flow. A pretty big hammer, sure, but the whole notion of basic > privileges for controlling networking seems like a pretty big hammer.
It's not just a "big hammer," I think it's a broken one. > > Is loopback (127.1) an IPC or a network? Is a separate zone on the > > same machine an IPC? > > IMO "end-points in different zones" means "this isn't IPC." That might be true in some usages, but not true in others. For instance, suppose I have applications segregated by zone. I have one application (say, a web server) that is permitted to talk to the Internet. The other applications in the other zones are not permitted to talk to the Internet, but they do talk to the web server. Should I be thinking about revoking PRIV_NET_(something) from those other zones? If zones are treated as non-IPC, then the answer is no, I can't do that. If they're treated as IPC, then I can. More fundamentally, I'm not sure where the line is between a feature like this and something like IP Filter. If we have both, how do they interact? (You didn't answer the questions about loopback addresses, versus drivers that behave as loopback or IPCs, and versus local but non-loopback and non-zoned IP addresses. I'll assume they're all under the IPC umbrella, but I don't know the right answer.) > > My point is that if we use a dull instrument to solve the problem, > > then we'll just end up with a new set of problems. Once we figure out > > how to solve _those_, we'll be left carrying around the baggage for > > the previous attempt at solving the problem. > > > > In that case, less extravagant design is probably better. > > I don't see the proposal as extravagant. It's an example of "when all > you have is a hammer everything looks like a nail." Which isn't to say > that this hammer is never useful, but I'm not sure there are many > examples where it would be. I think having four separate privileges where one might do reasonably is "extravagant." More so when we're not even in clear agreement on the definition or the exact usage of these things. I also remain concerned about the mapping of these privileges between TCP and UDP. It doesn't sound right to me, and I suspect it leads to impossible cases: where you don't (for instance) want to enable outbound TCP connections, but you have no choice because you must allow outbound UDP packets. -- James Carlson, KISS Network <[EMAIL PROTECTED]> Sun Microsystems / 1 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 _______________________________________________ networking-discuss mailing list [email protected]
