Re: [zones-discuss] exclusive-ip zone and non-observability
Christine Tran writes: I am putting 2 applications that talk to each other on two non-global zones of type exclusive-ip. I do this for one reason only, that is to be able to observe traffic between the two applications for troubleshooting if and when things go wrong. Unfortunately, this will run afoul of security guidelines, which says one should not be able to observe anything from the outside. Encryption is just not in the picture right now. I'm trying to think of a way to make traffic observable from the global zone only, and obscured to everyone else outside the box. I thought of not cabling the interfaces and turning off ip_restrict_interzone_loopback, but that just backs me right into the corner of not being able to snoop anything on the lo0 channel. I don't have anything here that I can use, do I? Just making sure. Using the existing Clearview interfaces (integrated back in November for build 103; see CR 4085089), you should be able to snoop lo0 just fine. -- James Carlson, Solaris Networking james.d.carl...@sun.com Sun Microsystems / 35 Network Drive71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] exclusive-ip zone and non-observability
Instead of snooping the traffic, why not do it through DTrace? That should meet your security requirements nicely. fpsm On Tue, Dec 16, 2008 at 11:59 AM, Christine Tran christine.t...@gmail.com wrote: Hi, I am putting 2 applications that talk to each other on two non-global zones of type exclusive-ip. I do this for one reason only, that is to be able to observe traffic between the two applications for troubleshooting if and when things go wrong. Unfortunately, this will run afoul of security guidelines, which says one should not be able to observe anything from the outside. Encryption is just not in the picture right now. I'm trying to think of a way to make traffic observable from the global zone only, and obscured to everyone else outside the box. I thought of not cabling the interfaces and turning off ip_restrict_interzone_loopback, but that just backs me right into the corner of not being able to snoop anything on the lo0 channel. I don't have anything here that I can use, do I? Just making sure. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] exclusive-ip zone and non-observability
On Tue, Dec 16, 2008 at 6:13 PM, Fredrich Maney fredrichma...@gmail.com wrote: Instead of snooping the traffic, why not do it through DTrace? That should meet your security requirements nicely. fpsm Heh! No SUNWCdtrace cluster either. In fact, I may have to sell observability down the river because I see that snoop is in SUNWrcmdc and that's not in the SUNWCrnet, either. And that needs Kerberos, yadda yadda ... ___ zones-discuss mailing list zones-discuss@opensolaris.org