Shared-IP zones have separate bindings, or connections, and can run their own server daemons. These daemons can listen on the same port numbers without any conflict. The IP stack resolves conflicts by considering the IP addresses for incoming connections. The IP addresses identify the zone.
Shared-IP is not the default, but this type is supported.
The IP stack in a system supporting zones implements the separation of network traffic between zones. Applications that receive IP traffic can only receive traffic sent to the same zone.
Each logical interface on the system belongs to a specific zone, the global zone by default. Logical network interfaces assigned to zones through the zonecfg utility are used to communicate over the network. Each stream and connection belongs to the zone of the process that opened it.
Bindings between upper-layer streams and logical interfaces are restricted. A stream can only establish bindings to logical interfaces in the same zone. Likewise, packets from a logical interface can only be passed to upper-layer streams in the same zone as the logical interface.
Each zone has its own set of bindings. Each zone can be running the same application listening on the same port number without binds failing because the address is already in use. Each zone can run its own version of various networking service such as the following:
Internet services daemon with a full configuration file (see the inetd(8) man page)
sendmail (see the sendmail(8) man page)
Zones other than the global zone have restricted access to the network. The standard TCP and UDP socket interfaces are available, but SOCK_RAW socket interfaces are restricted to Internet Control Message Protocol (ICMP). ICMP is necessary for detecting and reporting network error conditions or using the ping command.
Each non-global zone that requires network connectivity has one or more dedicated IP addresses. These addresses are associated with logical network interfaces that can be placed in a zone. Zone network interfaces configured by zonecfg will automatically be set up and placed in the zone when it is booted. The ipadm command can be used to add or remove logical interfaces when the zone is running. Only the global administrator or a user granted the appropriate authorizations can modify the interface configuration and the network routes.
Within a non-global zone, only that zone's interfaces are visible to the ipadm command.
Traffic Between Zones – A shared-IP zone can reach any given IP destination if there is a usable route for that destination in its routing table. To view the routing table, use the netstat command with the –r option from within the zone. The IP forwarding rules are the same for IP destinations in other zones or on other systems.
IPsec and IKE – IPsec relies on the Internet Key Exchange (IKE) protocol to manage keys. If you are configuring IPsec in a shared-IP zone, configure IKE in the global zone and use the source address that corresponds to the non-global zone that you are configuring. See IPsec Reference in Securing the Network in Oracle Solaris 11.4.
Packet Filter Firewall – PF can be enabled in non-global zones by turning on loopback filtering as described in Chapter 5, Configuring the Firewall in Oracle Solaris in Securing the Network in Oracle Solaris 11.4.
IP Network Multipathing (IPMP) – You configure IPMP in the global zone. Then, you extend the functionality to non-global zones. The functionality is extended by assigning one of the IPMP interface's data addresses to the zone. In a given non-global zone, only the interfaces associated with the zone are visible through the ipadm command.