crossbow discuss - Mar 2009 - [brussels-dev] displaying promiscuous state for a data link

On 03/25/09 12:30, James Carlson wrote:
> Girish Moodalbail writes:
>   
>> bash-3.2# dladm show-link
>> LINK        CLASS    MTU    STATE    PROMISC    OVER
>> e1000g0     phys     1501       up           off                --
>> e1000g1     phys     1502       up           on                --
>>     
>
> That (plus or minus some column alignment) seems fine.
>
> How will this work with the various sorts of virtual interfaces and
> VLANs?
>   
See below.
> I assume that if someone puts a regular link into promiscuous mode,
> then all of the regular VNICs (including those inside a zone) are in
> promiscuous mode. 
No, they would not be in promiscuous mode. The VNIC''s would be in 
promiscuous mode only if a DLPI application enables it using 
dlpi_promiscon() with DL_PROMISC_PHYS flag. So, we do not register 
VNIC''s promiscuous call back function if the NIC is put in promiscuous
mode.
>  But do VLANs appear as "in promiscuous mode" if the
> underlying interface is set that way?  After all, listeners on the
> underlying interface can see the VLAN traffic.
>   
Since snv_105, VLAN''s are implemented as VNIC''s so as per
explanation
before VLAN''s wouldn''t be in promiscuous mode if the
underlying NIC is
put on promiscuous mode.
> If a VNIC is in promiscuous mode, is the underlying link marked that
> way as well even though no clients of the underlying link are using it
> that way? 
Yes, the underlying link will be marked promiscuous because without 
making the underlying NIC promiscuous the VNIC''s would not get all the 
packets.
>  Does putting one VNIC into promiscuous mode also put the
> others on that same underlying link into promiscuous mode (as one can
> listen to others)?
>   
No, we don''t.
> Iterate the above questions for both VLANs and
VLANs are no different than VNIC''s. They work as specified above.
> virtual drivers such as those used for Xen.
>   
I have to look in to this.

thanks
~Girish

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/crossbow-discuss/attachments/20090325/cf9e45e6/attachment.html>

Girish Moodalbail writes:
> On 03/25/09 12:30, James Carlson wrote:
> > I assume that if someone puts a regular link into promiscuous mode,
> > then all of the regular VNICs (including those inside a zone) are in
> > promiscuous mode. 
> No, they would not be in promiscuous mode. The VNIC''s would be in 
> promiscuous mode only if a DLPI application enables it using 
> dlpi_promiscon() with DL_PROMISC_PHYS flag. So, we do not register 
> VNIC''s promiscuous call back function if the NIC is put in
promiscuous mode.
I don''t think I understand the usage model entirely, then.

Is the idea of showing "promiscuous mode" intended to allow the
administrator to know whether there''s someone watching?  If so, then
I''d expect the state to show whether there''s any promiscuous
client
anywhere in the system that can snoop in on that link''s traffic.

If it''s not for that purpose, then how does the administrator use this
new flag?  What does it tell him, and what could he do with that
information?
> > If a VNIC is in promiscuous mode, is the underlying link marked that
> > way as well even though no clients of the underlying link are using it
> > that way? 
> 
> Yes, the underlying link will be marked promiscuous because without 
> making the underlying NIC promiscuous the VNIC''s would not get all
the
> packets.
True ... but I''m asking about the state of the visible flag, not the
internal implementation details.

If this is supposed to just show whether there''s a promiscuous
listener on a given link, then why would the underlying NIC show this
flag set when there *isn''t* such a listener on that link?
> > virtual drivers such as those used for Xen.
> >   
> I have to look in to this.
OK.

-- 
James Carlson, Solaris Networking              <james.d.carlson at
sun.com>
Sun Microsystems / 35 Network Drive        71.232W   Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757   42.496N   Fax +1 781 442 1677

On 03/26/09 13:06, James Carlson wrote:
> Girish Moodalbail writes:
>   
>> On 03/25/09 12:30, James Carlson wrote:
>>     
>>> I assume that if someone puts a regular link into promiscuous mode,
>>> then all of the regular VNICs (including those inside a zone) are
in
>>> promiscuous mode. 
>>>       
>> No, they would not be in promiscuous mode. The VNIC''s would be
in
>> promiscuous mode only if a DLPI application enables it using 
>> dlpi_promiscon() with DL_PROMISC_PHYS flag. So, we do not register 
>> VNIC''s promiscuous call back function if the NIC is put in
promiscuous mode.
>>     
>
> I don''t think I understand the usage model entirely, then.
>
> Is the idea of showing "promiscuous mode" intended to allow the
> administrator to know whether there''s someone watching?  If so,
then
> I''d expect the state to show whether there''s any
promiscuous client
> anywhere in the system that can snoop in on that link''s traffic.
>
> If it''s not for that purpose, then how does the administrator use
this
> new flag?  What does it tell him, and what could he do with that
> information?
>   
The flag specifies if the data link is in promiscuous mode or not. The 
promiscuity of the data link might have been set by directly snooping 
the data link or by snooping the MAC clients (VNIC''s or
VLAN''s) defined
on top of that data link or by some other DLPI application. The fact 
that the link itself is in promiscuous mode should indicate that 
''there''s someone watching'', right?

Further if the underlying NIC is in promiscuous mode and for the MAC 
clients on that NIC the flag is not set, then it would mean that there 
is a listener (like snoop or some other DLPI application) which enabled 
promiscuity.
>>> If a VNIC is in promiscuous mode, is the underlying link marked
that
>>> way as well even though no clients of the underlying link are using
it
>>> that way? 
>>>       
>> Yes, the underlying link will be marked promiscuous because without 
>> making the underlying NIC promiscuous the VNIC''s would not get
all the
>> packets.
>>     
>
> True ... but I''m asking about the state of the visible flag, not
the
> internal implementation details.
>
> If this is supposed to just show whether there''s a promiscuous
> listener on a given link, then why would the underlying NIC show this
> flag set when there *isn''t* such a listener on that link?
In the above case ''promiscuous flag'' for both VNIC and
underlying NIC
will be set indicating they are in ''promiscuous'' mode.

thanks
~Girish

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/crossbow-discuss/attachments/20090326/18bb1034/attachment.html>