Peter Teoh wrote:
wow....each netstack for each IP zone? what is the purpose? at the kernel level, everyone can see and modify each other right? so I don't think it is for privilege segregation - in the security sense? sorry for the newbie question, i will read into these documentation.....slowly :-).
The purpose is to isolate the IP traffic for different exclusive IP zones. We've seen many cases where there is a need to consolidate servers that are connected to different VLANs (or different LANs) on the same system. The exclusive-IP zones enable that by providing the equivalent of an "IP airgap" - there is no way for IP packets (or ARP packets) to cross from one exclusive-IP zone to another, and all the modifiable data structures in the TCP/IP stack are separate for each exclusive-IP zone.
The fact that the kernel can write all over all of physical memory doesn't impact this; even with a hypervisor as in Xen the hypervisor can write all of physical memory. In both cases we try to write software that doesn't scribble over memory. The applications, including for uid=0, can not read or write TCP/IP datastructures that are part of a different exclusive-IP zone.
In OpenSolaris with the vnic support this can also be used to build a network in a box (defining etherstubs and vnics and connecting them together with some exclusive-IP zones being routers, others being firewalls, and then with applications running on yet other ones.) This is very powerful for testing; I can run a dozen exclusive-IP zones on an old laptop.
Erik _______________________________________________ networking-discuss mailing list networking-discuss@opensolaris.org
