On (05/13/10 13:25), Edward Pilatowicz wrote: > > Currently, none, though the "only ipv4 specified implies ipv6-addrs > > are forbidden" approach solves that. In retrospect, that choices > > seems simpler and cleaner. Is that preferable? > > > > i think so.
Ok, I'll send out an updated spec (that also incorporates Girish's feedback) later this week. > > > - can exclusive stack zones manipulate mac addresses on network > > > interfaces? > > > > yes- they can use 'ifconfig .. ether <..>'. > > .. the address property only clamps dow the IP address, > > and makes no promises about the mac address associated with the IP address. > > > > given that one of the motivation for this work is to prevent zones from > using addresses they shouldn't (and there by being capable of DOS-ing > hosts using those addresses) it seems like we should have a zonecfg > mechanism that prevents mac address manipulation. i don't know if that > should be bundled in with this proposed IP limiting mechanism (ie. if a > user specifies an IP address the mac would automatically be locked down) > or if there should be a seperate knob to control this. thoughts? Rishi Srivatsavai is looking into the work entailed to have mac-nospoof enabled for NGZ by default.. just talked to Rishi, and I think it makes sense, as part of that work, to also ensure that the mac address cannot be changed by ifconfig. --Sowmini _______________________________________________ opensolaris-arc mailing list [email protected]
