[redhat-lspp] Re: LSPP Development Telecon 06/19/2006 Minutes

[Eric W. Biederman]

"Serge E. Hallyn" <serue at us.ibm.com> writes:

> Quoting Paul Moore (paul.moore at hp.com):
>> 
>> If I am understanding you correctly this just sounds like adding IP
>> aliases to an interface, or just simply adding a new NIC, and assigning
>> each address to a network namespace.  While it's easy to do and even
>> easier to secure I don't think it addresses the problem we are trying to
>> solve - port polyinstantiation - where you can have multiple
>> applications bound to the same IP/protocol/port with the only difference
>> being the application's security label.
>
> I'm really not the expert here, but nevertheless according to what I've
> heard from at least the PlanetLab guys, we may not need to use nat -
> having multiple containers with the same IP address may be possible.

So no.  No nat needed.

All you have to do is setup a network namespace as a router that routes
packets by security label to different network namespaces.

    OUTSIDE WORLD
        |
        v

      ROUTER -> SECURITY SPACE 1
        |  \
        |   v 
        |   SECURITY SPACE 2
        v
     SECUIRITY SPACE 3
           

The destination network namespaces are effectively different network
stacks so they can be configured however you want.

So a network namespace should be able to solve a port polyinstantiation
problem.  Allowing you to bind multiple applications to INADDR_ANY
with the same protocol and port on the same machine. 

I have a hard time arguing for this case because I can't think of 
a good reason to implement port polyinstantiation. 

Eric