2012-06-11 22:57, Robert Mustacchi wrote:
This isn't a problem. When you promiscuously sniff traffic on a VNIC
regardless of zone, you only get the following:
* unicast traffic with your zones MAC address
Okay, one problem less, maybe
* Broadcast and multicast traffic
This might expose some knowledge about the network, i.e.
CIFS host and domain names, which may be undesirable as
a minor aid to a hacker researching the network.
Also, since an exclusive-IP zone can set any IP addresses,
it is free to disrupt your LAN or hijack some services by
trying to capture used addresses. On a shared stack the
addressing and routing is enforced from outside the zone
by the GZ admins.
Can that count in favor of enhancing the shared stack
usability when I don't want the hypervisor (GZ) on the
same net as the end-users' restricted local zones? ;)
Now, we're getting closer to what Dan wanted - a user story :)
Specifically if you create a vnic over an underlying physical NIC you do
not see all the traffic of the underlying device. See
http://src.illumos.org/source/xref/illumos-gate/usr/src/uts/common/io/mac/mac_client.c#3134.
VNICs are always of type MAC_CLIENT_PROMISC_FILTERED.
Thanks,
//Jim Klimov
_______________________________________________
OpenIndiana-discuss mailing list
[email protected]
http://openindiana.org/mailman/listinfo/openindiana-discuss
