help-hurd
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "network administrator" in GNU/Hurd


From: Hisham Kotry
Subject: Re: "network administrator" in GNU/Hurd
Date: Sat, 23 Aug 2003 09:53:31 -0700 (PDT)

--- Farid Hajji <address@hidden> wrote:
> Of course, not every user should have full,
> unrestricted access to a
> network card. Why? If the card is used concurrently
> by many users, and
> an ethernet frame is received by the card, where
> should this frame be
> delivered to? In theory, it could be multiplexed
> (copied) to every
> network translator that is attached to it. This in
> itself is not a
> problem, but from a security point of view, it may
> not be such a good
> idea.  Perhaps some frames are only destined to a
> subset of
> priviledged users? You don't want everyone sniffing
> everything that
> comes in, perhaps hijacking connections, etc... So
> there is still need
> for policies here. FreeBSD jails solve this
> particular problem by
> associating a single IP address to every jail and
> demultiplexing
> the incoming stream of IP packets based on the IP
> address. In the
> Hurd, another mechanism should be designed, which
> could perhaps act
> at a lower level (frames).

You probably want to look at
http://www.tel.fer.hr/zec/papers/zec-03.pdf . Peter
and I discussed exporting virtual interfaces to
sub-hurds and bridging traffic (vlans anyone?) to
them. The way BSD's jail works, ie. demuxing ip
addresses to their respective jails, is somewhat
defunct. The main argument for allowing sub-hurds to
attach their own stacks is for protocol testing and
development, in other words, you cant have the main
hurd image care about the IPv4 and v6 address assigned
to each sub-hurd, and the situation gets even worse
when people start running ipx, atalk, etc.. in their
own sub-hurds.

Chaow,
kotry

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com




reply via email to

[Prev in Thread] Current Thread [Next in Thread]