Security Differences Between Shared-IP and Exclusive-IP Non-Global Zones (System Administration Guide: Virtualization Using the Solaris Operating System)

System Administration Guide: Virtualization Using the Solaris Operating System

Previous: Exclusive-IP Non-Global Zones
Next: Using Shared-IP and Exclusive-IP Non-Global Zones at the Same Time

Security Differences Between Shared-IP and Exclusive-IP Non-Global Zones

In a shared-IP zone, applications in the zone, including the superuser, cannot send packets with source IP addresses other than the ones assigned to the zone through the zonecfg utility. This type of zone does not have access to send and receive arbitrary data-link (layer 2) packets.

For an exclusive-IP zone, zonecfg instead grants the entire specified data-link to the zone. As a result, the superuser in an exclusive-IP zone can send spoofed packets on those data-links, just as can be done in the global zone.

Previous: Exclusive-IP Non-Global Zones
Next: Using Shared-IP and Exclusive-IP Non-Global Zones at the Same Time