Network Isolation
If a zone needs to be isolated at the IP layer on the network, for example, by being connected to different VLANs or different LANs than the global zone and other non-global zones, then for security reasons the zone can have an exclusive IP. The exclusive-IP zone can be used to consolidate applications that must communicate on different subnets that are on different VLANs or different LANs.
Zones can also be configured as shared-IP zones. These zones connect to the same VLANs or same LANs as the global zone and share the IP routing configuration with the global zone. Shared-IP zones have separate IP addresses, but share the other parts of IP.
Zone Network Interfaces
Zone network interfaces configured by the zonecfg command to provide network connectivity will automatically be set up and placed in the zone when it is booted.
The Internet Protocol (IP) layer accepts and delivers packets for the network. This layer includes IP routing, the Address Resolution Protocol (ARP), IP security architecture (IPsec), and IP Filter.
There are two IP types available for non-global zones, shared-IP and exclusive-IP. The shared-IP zone shares a network interface and the exclusive-IP zone must have a dedicated network interface.
Shared-IP Non-Global Zones
The shared-IP zone is the default type. The zone must have one or more dedicated IP addresses. A shared-IP zone shares the IP layer configuration and state with the global zone. The zone should use the shared-IP instance if both of the following are true:
§ The zone is to be connected to the same data-link, that is, be on the same IP subnet or subnets as the global zone.
§ You do not want the other capabilities that the exclusive-IP zone provides.
Shared-IP zones are assigned one or more IP addresses using the zonecfg command. The data-link names must also be configured in the global zone.
These addresses are associated with logical network interfaces. The ifconfig command can be used from the global zone to add or remove logical interfaces in a running zone.
Exclusive-IP Non-Global Zones
An exclusive-IP zone has its own IP-related state.
This includes the ability to use the following features in an exclusive-IP zone:
§ ndd for setting TCP/UDP/SCTP as well as IP/ARP-level knobs
§ IP security (IPsec) and Internet Key Exchange (IKE), which automates the provision of authenticated keying material for IPsec security association
An exclusive-IP zone is assigned its own set of data-links using the zonecfg command. The zone is given a data-link name such as xge0, e1000g1, or bge32001, using the physical property of the net resource. The address property of the net resource is not set.
Note that the assigned data-link enables the snoop command to be used.
The dladm command can be used with the show-linkprop subcommand to show the assignment of data-links to running exclusive-IP zones. The dladm command can be used with the set-linkprop subcommand to assign additional data-links to running zones.
Inside a running exclusive-IP zone, the ifconfig command can be used to configure IP, which includes the ability to add or remove logical interfaces. The IP configuration in a zone can be set up in the same way as for the global zone, by using the sysidtools
global# zlogin zone1 ifconfig -a
Security Differences Between Shared-IP and Exclusive-IP Non-Global Zones
In a shared-IP zone, applications in the zone, including the superuser, cannot send packets with source IP addresses other than the ones assigned to the zone through the zonecfg utility. This type of zone does not have access to send and receive arbitrary data-link (layer 2) packets.
For an exclusive-IP zone, zonecfg instead grants the entire specified data-link to the zone. As a result, the superuser in an exclusive-IP zone can send spoofed packets on those data-links, just as can be done in the global zone.
Using Shared-IP and Exclusive-IP Non-Global Zones at the Same Time
The shared-IP zones always share the IP layer with the global zone, and the exclusive-IP zones always have their own instance of the IP layer. Both shared-IP zones and exclusive-IP zones can be used on the same machine.
No comments:
Post a Comment