Date: Thu, 11 Aug 2005 12:44:06 -0700 From: Venkata Pingali <pingali@ISI.EDU> To: Christian Kratzer <ck@cksoft.de> Cc: freebsd-net@freebsd.org, Andre Oppermann <andre@freebsd.org>, Marko Zec <zec@icir.org>, Jeremie Le Hen <jeremie@le-hen.org> Subject: Re: Stack virtualization Message-ID: <42FBAA86.5090002@isi.edu> In-Reply-To: <20050810154817.A97974@vesihiisi.cksoft.de> References: <1123040973.95445.TMDA@seddon.ca> <200508091104.06572.zec@icir.org> <42F8A487.67183CA6@freebsd.org> <200508091737.32391.zec@icir.org> <42F8D8ED.11A196FC@freebsd.org> <20050809211537.GX45385@obiwan.tataz.chchile.org> <42F9E1FB.3ECF023E@freebsd.org> <20050810144407.F97974@vesihiisi.cksoft.de> <42F9F9BF.879994D2@freebsd.org> <20050810151547.X97974@vesihiisi.cksoft.de> <20050810134523.GK45385@obiwan.tataz.chchile.org> <20050810154817.A97974@vesihiisi.cksoft.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Christian Kratzer wrote: > Hi, > > On Wed, 10 Aug 2005, Jeremie Le Hen wrote: > >> On Wed, Aug 10, 2005 at 03:30:32PM +0200, Christian Kratzer wrote: >> >>>>> And of course IPv6 for jails is something that could propably be >>>>> solved >>>>> in a very clean way using virtual ip stacks as in Marcos patch. >>>> >>>> >>>> I'll cook something up that uses interface groups and then you can >>>> judge >>>> whether it meets you needs or not. It would be more lightwigth >>>> than having >>>> a full network stack per jail. >>> >>> >>> Yes I can imagine Interface groups coming in handy in firewall setups. >>> You will propably not be able to provide clean semantics for INADDR_ANY >>> with anything but a dedicated virtual stack. >>> >>> A full network stack per jail provides the same semantics as in an >>> environment without jails and all the security of clean separation. >>> A little overhead for security is something I am very willing to pay ;) >> >> >> Both approach will require the ability to prevent jailed processes to >> do certain actions on their virtual interface/stack, such as adding a >> new IP address, because it has a noticable impact on the real network. >> >> I think this could be the job of the MAC framework (although I must >> admit that I never played with this), but I'm a little bit scared about >> the administrative overhead this would introduce for managing jails. > > > yes a jail with its own ip stack could mess up a network as much as a > separate machine on the same network could today. > > Virtual network stacks would primarily bring clean separation and > consistent semantics to jails for cases where we require multiple > IPv4, IPv6 ips and other protocols. This would be a good thing. We have a demonstration of that. We have been using the stacks to create complete and multiple virtual networks over the same set of hosts. We could do this with minimal effort. Standard applications including ping and traceroute work unmodified just like how they would do in the regular network. This could not be possible without support for appropriate host and router RFCs i.e., without each stack emulating a complete internet host. Stacks have to do more with isolation and abstraction. They provide the context for other network operations including binding, forwarding, lookup, firewalling etc. The question then becomes whether one feels that it is necessary to support complete virtual hosts or not. > > One reason multiple IPv4 and especially IPv6 have been missing from > jails is propably because the current very simple concept (converting > all binds to inaddr_any to the jails ip) does not scale. Interface > groups would not help in this area. > > As to inhibiting a jail from changing its stack so as not to disturb > the network. This would indeed need to be addressed perhaps through > a mac framework of some kind. > > Greetings > Christian >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42FBAA86.5090002>