[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
[redhat-lspp] Re: LSPP Development Telecon 06/19/2006 Minutes
- From: Andrey Savochkin <saw sw ru>
- To: "Serge E. Hallyn" <serue us ibm com>, Paul Moore <paul moore hp com>
- Cc: redhat-lspp redhat com, Dave Hansen <haveblue us ibm com>, Andrey Savochkin <saw sw ru>, Ted <txtoth gmail com>, "Eric W. Biederman" <ebiederm xmission com>, Daniel Lezcano <dlezcano fr ibm com>
- Subject: [redhat-lspp] Re: LSPP Development Telecon 06/19/2006 Minutes
- Date: Fri, 23 Jun 2006 11:31:42 +0400
On Thu, Jun 22, 2006 at 02:17:53PM -0500, Serge E. Hallyn wrote:
> Quoting Paul Moore (paul moore hp com):
> >
> > If I am understanding you correctly this just sounds like adding IP
> > aliases to an interface, or just simply adding a new NIC, and assigning
> > each address to a network namespace. While it's easy to do and even
> > easier to secure I don't think it addresses the problem we are trying to
> > solve - port polyinstantiation - where you can have multiple
> > applications bound to the same IP/protocol/port with the only difference
> > being the application's security label.
>
> I'm really not the expert here, but nevertheless according to what I've
> heard from at least the PlanetLab guys, we may not need to use nat -
> having multiple containers with the same IP address may be possible.
Everything is possible.
It all depends on how the kernel is supposed to determine to which socket
packets are destined.
Which implies the question why "port polyinstantiation" is needed in the
first place. The authors of TCP protocol introduced the notion of "port"
to make (IP, port) pair a unique identifier of the endpoint.
What's wrong with this definition of port?
Best regards
Andrey
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]