[OpenIndiana-discuss] [discuss] Is it possible to do shared networking for LZ different from IP stack in GZ?
Jim Klimov
jimklimov at cos.ru
Mon Jun 11 19:37:58 UTC 2012
2012-06-11 22:57, Robert Mustacchi wrote:
> This isn't a problem. When you promiscuously sniff traffic on a VNIC
> regardless of zone, you only get the following:
>
> * unicast traffic with your zones MAC address
Okay, one problem less, maybe
> * Broadcast and multicast traffic
This might expose some knowledge about the network, i.e.
CIFS host and domain names, which may be undesirable as
a minor aid to a hacker researching the network.
Also, since an exclusive-IP zone can set any IP addresses,
it is free to disrupt your LAN or hijack some services by
trying to capture used addresses. On a shared stack the
addressing and routing is enforced from outside the zone
by the GZ admins.
Can that count in favor of enhancing the shared stack
usability when I don't want the hypervisor (GZ) on the
same net as the end-users' restricted local zones? ;)
Now, we're getting closer to what Dan wanted - a user story :)
>
> Specifically if you create a vnic over an underlying physical NIC you do
> not see all the traffic of the underlying device. See
> http://src.illumos.org/source/xref/illumos-gate/usr/src/uts/common/io/mac/mac_client.c#3134.
> VNICs are always of type MAC_CLIENT_PROMISC_FILTERED.
Thanks,
//Jim Klimov
More information about the OpenIndiana-discuss
mailing list