On Thu, May 13, 2010 at 04:10:05PM -0700, Darren Reed wrote: > On 13/05/10 01:29 PM, [email protected] wrote: > >On (05/13/10 13:25), Edward Pilatowicz wrote: > >>>Currently, none, though the "only ipv4 specified implies ipv6-addrs > >>>are forbidden" approach solves that. In retrospect, that choices > >>>seems simpler and cleaner. Is that preferable? > >>> > >> > >>i think so. > > > >Ok, I'll send out an updated spec (that also incorporates Girish's > >feedback) later this week. > > > >>>>- can exclusive stack zones manipulate mac addresses on network > >>>> interfaces? > >>> > >>> yes- they can use 'ifconfig .. ether<..>'. > >>>.. the address property only clamps dow the IP address, > >>>and makes no promises about the mac address associated with the IP address. > >>> > >> > >>given that one of the motivation for this work is to prevent zones from > >>using addresses they shouldn't (and there by being capable of DOS-ing > >>hosts using those addresses) it seems like we should have a zonecfg > >>mechanism that prevents mac address manipulation. i don't know if that > >>should be bundled in with this proposed IP limiting mechanism (ie. if a > >>user specifies an IP address the mac would automatically be locked down) > >>or if there should be a seperate knob to control this. thoughts? > > > >Rishi Srivatsavai is looking into the work entailed to have mac-nospoof > >enabled for NGZ by default.. just talked to Rishi, and I think it makes > >sense, as part of that work, to also ensure that the mac address cannot > >be changed by ifconfig. > > It really doesn't matter what controls you put on changing any > address via ifconfig if hostile behaviour is your concern. As long > as I can open a raw socket for a NIC, I can pump whatever I like > down the wire. To that end, the "allowed-ips" and "mac-nospoof" > filtering in mac are required to prevent hostile behaviour from > the local zone because they both actively filter all packets > transmitted out of the NIC. This is why I earlier asked about > whether or not net-rawaccess could be revoked for such zones. >
as far as i can tell, if "allowed-ips" and "mac-nospoof" are used to restrict the ip and mac addresses that a zone can use then that's good enough. removing net-rawaccess would be unnecessary because it wouldn't buy us any more protection else. removing net-rawaccess would actually reduce the available functionality in the zone unnecessarily. (for example, the zone could no longer run snoop.) ed _______________________________________________ opensolaris-arc mailing list [email protected]
