Having an issue figuring out how the all-zones option effect security if 
applied to a physical interface and not VNI*. Attempting to configure a Solaris 
10 U3 TX system with 2 NICs to route between CIPSO and UNLABELED traffic. We 
have a server that does not understand CIPSO (192.168.1.100/24) that we access 
through a route (192.168.2.100/24) that does not understand CIPSO. The Solaris 
gateway “router” has an interface (192.168.2.1/24) that talks to the router. 
The other interface on the Solaris gateway is (192.168.3.1/24). One labeled 
zone exits called unclassified. We have attempted the following gateway 
configurations but uncertain what this does to security since this is a TX 
system. 

1.Configured global with iprb0=192.168.12.1/24 and iprb1=192.168.13.1/24
   Configured unclassified zone iprb0:1=192.168.2.1/24 and iprb1=192.168.3.1/24 
If we start a ping from a Solaris TX CIPSO workstation (192.168.3.100) through 
the gateway to 192.168.1.100 after 1500 pings communication stops. With this 
setup we are unable to make the persistent route work (192.168.1.100 
192.168.2.100).

2.Configured global with iprb0=192.168.2.1/24 all-zones and 
iprb1=192.168.3.1/24 all-zones. Configured unclassified zone without any 
network settings. This seems to work even without the unclassified zone booted. 
Persistent routes and communication does not stop working. What does this do to 
security of the system? All the documentation I have seen uses VNI interface 
for the labeled zones to communicate to the global zone. Also looking at using 
IPSec and not sure of what effect this will have? 

Solaris 10 TX workstation 192.168.3.100
                          |
                          |
                  192.168.3.1
            Solaris 10 TX gateway
                  192.168.2.1
                          |
                          |
                 192.168.2.100
               NON-CIPSO Router
                   192.168.1.1
                          |
                          |
    NON-CIPSO Server 192.168.1.100
 
 
This message posted from opensolaris.org
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org

Reply via email to