|Skip Navigation Links|
|Exit Print View|
|Oracle Solaris Administration: Network Interfaces and Network Virtualization Oracle Solaris 11 Information Library|
With the increasing adoption of virtualization in system configurations, guest virtual machines (VMs) can be given exclusive access to a physical or virtual link by the host administrator. This configuration improves network performance by allowing the virtual environment's network traffic to be isolated from the wider traffic that is received or sent by the host system. At the same time, this configuration can expose the system and the entire network to the risk of harmful packets that a guest environment might generate.
Link protection aims to prevent the damage that can be caused by potentially malicious guest VMs to the network. The feature offers protection from the following basic threats:
IP and MAC spoofing
L2 frame spoofing such as Bridge Protocol Data Unit (BPDU) attacks
Note - Link protection should not replace the deployment of a firewall, particularly for configurations with more complex filtering requirements.
The link protection mechanism is disabled by default. To enable link protection, specify one or more of the following protection types as values of the protection link property:
Enables protection against MAC spoofing. An outbound packet's source MAC address must match the datalink's configured MAC address. Otherwise, the packet is dropped. If the link belongs to a zone, enabling mac-nospoof prevents the zone's owner from modifying that link's MAC address.
Enables protection against IP spoofing. Any outgoing IP, ARP, or NDP packet must have an address field that matches either a DHCP-configured IP address or one of the addresses listed in the allowed-ips link property. Otherwise, the packet is dropped.
The allowed-ips link property works with the ip-nospoof protection type. By default, the list specified by this property is empty. If the property is empty or unconfigured, the following IP addresses are implicitly included in the property. These IP addresses are matched with the IP address of the outgoing packets to determine if the packets are allowed to pass or are dropped.
DHCP-configured IPv4 or IPv6 addresses that are dynamically learned
Link local IPv6 addresses that conform to RFC 2464 and which are derived from the link's MAC address
The following list indicates a protocol and the corresponding outbound packet's associated address field that must match an address in the allowed-ips property. If this property is empty, then the packet's address must match a DHCP-configured IP address.
IP (IPv4 or IPv6) – The packet's source address
ARP – The packet's sender protocol address.
Restricts outgoing packets to only those packets of the IPv4, IPv6, and ARP protocol types. Other packets that are not of the listed types are dropped. Using this protection type prevents the link from generating potentially harmful L2 control frames.
Note - Packets that are dropped because of link protection are tracked by the following kernel statistics: mac_spoofed, ip_spoofed, and restricted. These statistics correspond to the three protection types. Use the kstat command to retrieve these per-link statistics. For more details about retrieving these statistics, see the kstat(1M) man page.