Having an issue figuring out how the all-zones option effect security if applied to a physical interface and not VNI*. Attempting to configure a Solaris 10 U3 TX system with 2 NICs to route between CIPSO and UNLABELED traffic. We have a server that does not understand CIPSO (192.168.1.100/24) that we access through a route (192.168.2.100/24) that does not understand CIPSO. The Solaris gateway “router” has an interface (192.168.2.1/24) that talks to the router. The other interface on the Solaris gateway is (192.168.3.1/24). One labeled zone exits called unclassified. We have attempted the following gateway configurations but uncertain what this does to security since this is a TX system.
1.Configured global with iprb0=192.168.12.1/24 and iprb1=192.168.13.1/24 Configured unclassified zone iprb0:1=192.168.2.1/24 and iprb1=192.168.3.1/24 If we start a ping from a Solaris TX CIPSO workstation (192.168.3.100) through the gateway to 192.168.1.100 after 1500 pings communication stops. With this setup we are unable to make the persistent route work (192.168.1.100 192.168.2.100). 2.Configured global with iprb0=192.168.2.1/24 all-zones and iprb1=192.168.3.1/24 all-zones. Configured unclassified zone without any network settings. This seems to work even without the unclassified zone booted. Persistent routes and communication does not stop working. What does this do to security of the system? All the documentation I have seen uses VNI interface for the labeled zones to communicate to the global zone. Also looking at using IPSec and not sure of what effect this will have? Solaris 10 TX workstation 192.168.3.100 | | 192.168.3.1 Solaris 10 TX gateway 192.168.2.1 | | 192.168.2.100 NON-CIPSO Router 192.168.1.1 | | NON-CIPSO Server 192.168.1.100 This message posted from opensolaris.org _______________________________________________ zones-discuss mailing list firstname.lastname@example.org