crossbow discuss - Feb 2007 - Snooping on non-global network interfaces from global zone

Hello,

You can uses exclusive network mode for zone by  using set ip-type=exclusive
when
the zone is configured with zonecfg.

I saw somewhere (don''t remeber where) that when using IP instances in 
exclusive-IP Zones, when you run "ifconfig -a" from the global zone 
you see only the global zone network interfaces; you don''t see
non-global
zone network interfaces from the global zone. Each non-global zone see of course
the interfaces which are dedicated to it in such configuration because 
it has an instance of the IP stack.

On the other hand, when running "snoop" from the global zone you CAN 
snoop on other network interfaces from non-global zone (maybe using the -d flag
to "snoop"? ).

two questions: 
1) Is it true ? 
2) In case it is - why is it so ? 
   As I undestands, in such a configuration of exclusive network mode  
	 for zones ("IP instances"), each zone should have an instance of the
IP
	 stack. So why is the global zone able to snoop on non-global zone network
	 interfaces? 
Regards,
Xu
 
 
This message posted from opensolaris.org

Hello, Xu,

Yes, it is true, in global zone, root can snoop on all of the network
interfaces.

IP Instances just separates IP stack, and snoop works on layer 2, which is out
of the scope of IP Instances project.

And don''t worry about global root being able to snoop on your
interfaces, anyway,
the global root can do a zlogin <zone name> snoop, and we can not stop the
global root from capturing packets on the wire or switch. ;-)

Best,

Donghai.

----- Original Message -----
From: Xu <xunakaj at yahoo.com>
Date: Wednesday, February 21, 2007 5:38 pm
Subject: [crossbow-discuss] Snooping on non-global network interfaces from
global zone
To: crossbow-discuss at opensolaris.org
> Hello,
> 
> You can uses exclusive network mode for zone by  using set ip-
> type=exclusive when 
> the zone is configured with zonecfg.
> 
> I saw somewhere (don''t remeber where) that when using IP instances
> in 
> exclusive-IP Zones, when you run "ifconfig -a" from the global
zone
> you see only the global zone network interfaces; you don''t see
non-
> globalzone network interfaces from the global zone. Each non-global 
> zone see of course 
> the interfaces which are dedicated to it in such configuration 
> because 
> it has an instance of the IP stack.
> 
> On the other hand, when running "snoop" from the global zone you 
> CAN 
> snoop on other network interfaces from non-global zone (maybe using 
> the -d flag
> to "snoop"? ).
> 
> two questions: 
> 1) Is it true ? 
> 2) In case it is - why is it so ? 
>   As I undestands, in such a configuration of exclusive network 
> mode  
>         for zones ("IP instances"), each zone should have an 
> instance of the IP 
>         stack. So why is the global zone able to snoop on non-
> global zone network
>         interfaces? 
> Regards,
> Xu
> 
> 
> This message posted from opensolaris.org
> _______________________________________________
> crossbow-discuss mailing list
> crossbow-discuss at opensolaris.org
> http://opensolaris.org/mailman/listinfo/crossbow-discuss
>

Thanks, Donghai.
>IP Instances just separates IP stack, and snoop works on layer 2, which is
out
>of the scope of IP Instances project.
Since we are talking about layer 2 - can non global zone snoop on interfaces of
a different  non global zones (assuming that both are using IP instances ) ?
And when NOT using IP instances - is such a snooping (from one non global zone
to a different non global zone) available ? (did not test it yet)
Is there something with privileges of zone that stops him from doing so ? 

Regards,
Xu
 
 
This message posted from opensolaris.org

Xu Wrote:
> Thanks, Donghai.
You are welcome.
>>IP Instances just separates IP stack, and snoop works on layer 2, which
is out
>>of the scope of IP Instances project.
> 
> 
> Since we are talking about layer 2 - can non global zone snoop on
interfaces of a different  non global zones (assuming that both are using IP
instances ) ?
> And when NOT using IP instances - is such a snooping (from one non global
zone to a different non global zone) available ? (did not test it yet)
> Is there something with privileges of zone that stops him from doing so ? 
No, in any situation a non-global zone must not see traffic of another
non-global zone.

For exclusive IP zones, they can access the network interfaces assigned
to them by global root only, if you have one configured, look at /dev
and you''ll see.

Best,

Donghai.

Xu wrote:
> 
> And when NOT using IP instances - is such a snooping (from
> one non global zone to a different non global zone) available ? (did not
> test it yet) Is there something with privileges of zone that stops him from
> doing so ?
Hello Xu,

If a zone does *not* use IP instances, by default the zone cannot use snoop.

However, the global zone administrator can choose to allow a zone to snoop a 
NIC to which it has been given access.  This is done by adding the privilege 
net_rawaccess to that zone and adding the network device to the zone.  The 
zone will see *all* packets on that interface, including other zones which are 
also using that interface.

See my blog entry which explains this:

http://blogs.sun.com/JeffV/date/20061030


--------------------------------------------------------------------------
Jeff VICTOR              Sun Microsystems            jeff.victor @ sun.com
OS Ambassador            Sr. Technical Specialist
Solaris 10 Zones FAQ:    http://www.opensolaris.org/os/community/zones/faq
--------------------------------------------------------------------------

Xu wrote:
> Thanks, Donghai.
> 
>> IP Instances just separates IP stack, and snoop works on layer 2, which
is out
>> of the scope of IP Instances project.
> 
> Since we are talking about layer 2 - can non global zone snoop on
interfaces of a different  non global zones (assuming that both are using IP
instances ) ?
No, since a non-global zone doesn''t have access to other /dev/ entries.
For example, if you configure an exclusive-IP zone to use bge2, it gets 
a /dev/bge2 entry it can use. But it can''t access any other layer 2
devices.
> And when NOT using IP instances - is such a snooping (from one non global
zone to a different non global zone) available ? (did not test it yet)
> Is there something with privileges of zone that stops him from doing so ? 
It is just the devices. zonecfg has a mechanism to assign additional 
devices to a non-global zone (add device). This can be used to give a 
non-global zone the ability to snoop - by giving it layer 2 access - 
which means it can send any receive any Ethernet frames on that interface.

   Erik

Erik Nordmark wrote:
> Xu wrote:
> 
>> And when NOT using IP instances - is such a snooping (from one non 
>> global zone to a different non global zone) available ? (did not test 
>> it yet)
>> Is there something with privileges of zone that stops him from doing so
?
> 
> It is just the devices. zonecfg has a mechanism to assign additional 
> devices to a non-global zone (add device). This can be used to give a 
> non-global zone the ability to snoop - by giving it layer 2 access - 
> which means it can send any receive any Ethernet frames on that interface.
The zone will also need the net_rawaccess privilege in order to snoop.  Adding 
that privilege requires S10 11/06 or Nevada build 37.


--------------------------------------------------------------------------
Jeff VICTOR              Sun Microsystems            jeff.victor @ sun.com
OS Ambassador            Sr. Technical Specialist
Solaris 10 Zones FAQ:    http://www.opensolaris.org/os/community/zones/faq
--------------------------------------------------------------------------

Jeff Victor wrote:
> Erik Nordmark wrote:
>> Xu wrote:
>>
>>> And when NOT using IP instances - is such a snooping (from one non 
>>> global zone to a different non global zone) available ? (did not
test
>>> it yet)
>>> Is there something with privileges of zone that stops him from
doing
>>> so ? 
>>
>> It is just the devices. zonecfg has a mechanism to assign additional 
>> devices to a non-global zone (add device). This can be used to give a 
>> non-global zone the ability to snoop - by giving it layer 2 access - 
>> which means it can send any receive any Ethernet frames on that 
>> interface.
> 
> The zone will also need the net_rawaccess privilege in order to snoop.  
> Adding that privilege requires S10 11/06 or Nevada build 37.
Correct. I forgot about that one.

    Erik