About Link Protection
With the increasing adoption of virtualization in system configurations,
guest virtual machines (VMs) can be given exclusive access to a physical or
virtual link by the host administrator. This configuration improves network
performance by allowing the virtual environment's network traffic to be isolated
from the wider traffic that is received or sent by the host system. At the
same time, this configuration can expose the system and the entire network
to the risk of harmful packets that a guest environment might generate.
Link protection aims to prevent the damage
that can be caused by potentially malicious guest VMs to the network. The
feature offers protection from the following basic threats:
IP, DHCP, and MAC spoofing
L2 frame spoofing such as Bridge Protocol Data Unit (BPDU)
Note - Link protection does not replace the deployment of a firewall,
particularly for configurations with complex filtering requirements.
Link Protection Types
The link protection mechanism in Oracle Solaris supplies the following protection
Enables protection against spoofing the system's MAC address.
If the link belongs to a zone, enabling mac-nospoof prevents
the zone's owner from modifying that link's MAC address.
Enables protection against IP spoofing. By default, outbound
packets with DHCP addresses and link local IPv6 addresses are allowed.
You can add addresses by using the allowed-ips link
property. For IP addresses, the packet's source address must match an address
in the allowed-ips list. For an ARP packet, the packet's
sender protocol address must be in the allowed-ips list.
Enables protection against spoofing of the DHCP client. By
default, DHCP packets whose ID matches the system's MAC address are allowed.
You can add allowed clients by using the allowed-dhcp-cids link
property. Entries in the allowed-dhcp-cids list must be
formatted as specified in the dhcpagent(8) man page.
Restricts outgoing packets to IPv4, IPv6, and ARP. This protection
type is designed to prevent the link from generating potentially harmful L2
Packets that are dropped because of link protection are tracked
by the kernel statistics for the four protection types: mac_spoofed
, and restricted
To retrieve these per-link statistics, see How to View Link Protection Configuration and Statistics
For fuller descriptions of these protection types, see the dladm(8) man page.