[redhat-lspp] Re: LSPP Development Telecon 06/19/2006 Minutes
Eric W. Biederman
ebiederm at xmission.com
Thu Jun 22 19:59:28 UTC 2006
"Serge E. Hallyn" <serue at us.ibm.com> writes:
> Quoting Paul Moore (paul.moore at hp.com):
>>
>> If I am understanding you correctly this just sounds like adding IP
>> aliases to an interface, or just simply adding a new NIC, and assigning
>> each address to a network namespace. While it's easy to do and even
>> easier to secure I don't think it addresses the problem we are trying to
>> solve - port polyinstantiation - where you can have multiple
>> applications bound to the same IP/protocol/port with the only difference
>> being the application's security label.
>
> I'm really not the expert here, but nevertheless according to what I've
> heard from at least the PlanetLab guys, we may not need to use nat -
> having multiple containers with the same IP address may be possible.
So no. No nat needed.
All you have to do is setup a network namespace as a router that routes
packets by security label to different network namespaces.
OUTSIDE WORLD
|
v
ROUTER -> SECURITY SPACE 1
| \
| v
| SECURITY SPACE 2
v
SECUIRITY SPACE 3
The destination network namespaces are effectively different network
stacks so they can be configured however you want.
So a network namespace should be able to solve a port polyinstantiation
problem. Allowing you to bind multiple applications to INADDR_ANY
with the same protocol and port on the same machine.
I have a hard time arguing for this case because I can't think of
a good reason to implement port polyinstantiation.
Eric
More information about the redhat-lspp
mailing list