[redhat-lspp] Re: LSPP Development Telecon 06/19/2006 Minutes
Andrey Savochkin
saw at sw.ru
Fri Jun 23 07:31:42 UTC 2006
On Thu, Jun 22, 2006 at 02:17:53PM -0500, Serge E. Hallyn wrote:
> Quoting Paul Moore (paul.moore at hp.com):
> >
> > If I am understanding you correctly this just sounds like adding IP
> > aliases to an interface, or just simply adding a new NIC, and assigning
> > each address to a network namespace. While it's easy to do and even
> > easier to secure I don't think it addresses the problem we are trying to
> > solve - port polyinstantiation - where you can have multiple
> > applications bound to the same IP/protocol/port with the only difference
> > being the application's security label.
>
> I'm really not the expert here, but nevertheless according to what I've
> heard from at least the PlanetLab guys, we may not need to use nat -
> having multiple containers with the same IP address may be possible.
Everything is possible.
It all depends on how the kernel is supposed to determine to which socket
packets are destined.
Which implies the question why "port polyinstantiation" is needed in the
first place. The authors of TCP protocol introduced the notion of "port"
to make (IP, port) pair a unique identifier of the endpoint.
What's wrong with this definition of port?
Best regards
Andrey
More information about the redhat-lspp
mailing list