JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Securing the Network in Oracle Solaris 11.1     Oracle Solaris 11.1 Information Library
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

1.  Using Link Protection in Virtualized Environments

Overview of Link Protection

Link Protection Types

Configuring Link Protection (Task Map)

How to Enable Link Protection

How to Disable Link Protection

How to Specify IP Addresses to Protect Against IP Spoofing

How to Specify DHCP Clients to Protect Against DHCP Spoofing

How to View Link Protection Configuration and Statistics

2.  Tuning Your Network (Tasks)

3.  Web Servers and the Secure Sockets Layer Protocol

4.  IP Filter in Oracle Solaris (Overview)

5.  IP Filter (Tasks)

6.  IP Security Architecture (Overview)

7.  Configuring IPsec (Tasks)

8.  IP Security Architecture (Reference)

9.  Internet Key Exchange (Overview)

10.  Configuring IKE (Tasks)

11.  Internet Key Exchange (Reference)

Glossary

Index

Configuring Link Protection (Task Map)

To use link protection, you set the protection property of the link. If the type of protection works with other configuration files, such as ip-nospoof with allowed-ips or dhcp-nospoof with allowed-dhcp-cids, then you perform two general actions. First, you enable link protection. Then, you customize the configuration file to identify other packets that are allowed to pass.

Note - You must configure link protection in the global zone.

The following task map points to the procedures for configuring link protection on an Oracle Solaris system.

Task
Description
For Instructions
Enable link protection.
Restricts the packets that are sent from a link and protects links from spoofing.
How to Enable Link Protection
Disable link protection.
Removes link protections.
How to Disable Link Protection
Specify the IP link protection type.
Specifies the IP addresses that can pass through the link protection mechanism.
How to Specify IP Addresses to Protect Against IP Spoofing
Specify the DHCP link protection type.
Specifies the DHCP addresses that can pass through the link protection mechanism.
How to Specify DHCP Clients to Protect Against DHCP Spoofing
View the link protection configuration.
Lists the protected links and the exceptions, and shows the enforcement statistics.
How to View Link Protection Configuration and Statistics

How to Enable Link Protection

This procedure restricts outgoing packet types and prevents the spoofing of links.

Before You Begin

You must become an administrator who is assigned the Network Link Security rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

  1. View the available link protection types.
    # dladm show-linkprop -p protection
LINK      PROPERTY      PERM VALUE    DEFAULT    POSSIBLE
vnic0     protection    rw   --       --         mac-nospoof,
                                                 restricted,
                                                 ip-nospoof,
                                                 dhcp-nospoof

    For a description of the possible types, see Link Protection Types and the dladm(1M) man page.

  2. Enable link protection by specifying one or more protection types.
    # dladm set-linkprop -p protection=value[,value,...] link

    In the following example, all four link protection types on the vnic0 link are enabled:

    # dladm set-linkprop \
-p protection=mac-nospoof,restricted,ip-nospoof,dhcp-nospoof vnic0
  3. Verify that the link protections are enabled.
    # dladm show-linkprop -p protection vnic0
LINK    PROPERTY       PERM VALUE         DEFAULT      POSSIBLE
vnic0   protection     rw   mac-nospoof   --           mac-nospoof,
                            restricted                 restricted,
                            ip-nospoof                 ip-nospoof,
                            dhcp-nospoof               dhcp-nospoof

    The link protection type under VALUE indicates that protection is enabled.

How to Disable Link Protection

This procedure resets link protection to the default value, no link protection.

Before You Begin

You must become an administrator who is assigned the Network Link Security rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

  1. Disable link protection by resetting the protection property to its default value.
    # dladm reset-linkprop -p protection link
  2. Verify that the link protections are disabled.
    # dladm show-linkprop -p protection vnic0
LINK      PROPERTY      PERM VALUE    DEFAULT    POSSIBLE
vnic0     protection    rw   --       --         mac-nospoof,
                                                 restricted,
                                                 ip-nospoof,
                                                 dhcp-nospoof

    No listing of a link protection type under VALUE indicates that link protection is disabled.

How to Specify IP Addresses to Protect Against IP Spoofing

Before You Begin

The ip-nospoof protection type is enabled, as shown in How to Enable Link Protection.

You must become an administrator who is assigned the Network Link Security rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

  1. Verify that you have enabled protection against IP spoofing.
    # dladm show-linkprop -p protection link
LINK    PROPERTY       PERM    VALUE         DEFAULT      POSSIBLE
link     protection     rw      ...
                               ip-nospoof                 ip-nospoof

    The listing of ip-nospoof under VALUE indicates that this protection type is enabled.

  2. Add IP addresses to the list of default values for the allowed-ips link property.
    # dladm set-linkprop -p allowed-ips=IP-addr[,IP-addr,...] link

    The following example shows how to add the IP addresses 10.0.0.1 and 10.0.0.2 to the allowed-ips property for the vnic0 link:

    # dladm set-linkprop -p allowed-ips=10.0.0.1,10.0.0.2 vnic0

    For more information, see the dladm(1M) man page.

How to Specify DHCP Clients to Protect Against DHCP Spoofing

Before You Begin

The dhcp-nospoof protection type is enabled, as shown in How to Enable Link Protection.

You must become an administrator who is assigned the Network Link Security rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

  1. Verify that you have enabled protection against DHCP spoofing.
    # dladm show-linkprop -p protection link
LINK    PROPERTY       PERM    VALUE         DEFAULT      POSSIBLE
link     protection     rw      ...
                               dhcp-nospoof               dhcp-nospoof

    The listing of dhcp-nospoof under VALUE indicates that this protection type is enabled.

  2. Specify an ASCII phrase for the allowed-dhcp-cids link property.
    # dladm set-linkprop -p allowed-dhcp-cids=CID-or-DUID[,CID-or-DUID,...] link

    The following example shows how to specify the string hello as the value for the allowed-dhcp-cids property for the vnic0 link:

    # dladm set-linkprop -p allowed-dhcp-cids=hello vnic0

    For more information, see the dladm(1M) man page.

How to View Link Protection Configuration and Statistics

Before You Begin

You must become an administrator who is assigned the Network Link Security rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

  1. View the link protection property values.
    # dladm show-linkprop -p protection,allowed-ips,allowed-dhcp-cids link

    The following example shows the values for the protection, allowed-ips, and allowed-dhcp-cids properties for the vnic0 link:

    # dladm show-linkprop -p protection,allowed-ips,allowed-dhcp-cids vnic0
LINK    PROPERTY            PERM     VALUE           DEFAULT    POSSIBLE
vnic0   protection          rw       mac-nospoof     --         mac-nospoof,
                                     restricted                 restricted,
                                     ip-nospoof                 ip-nospoof,
                                     dhcp-nospoof               dhcp-nospoof
vnic0   allowed-ips         rw       10.0.0.1,       --         --
                                     10.0.0.2
vnic0   allowed-dhcp-cids   rw       hello           --         --

    Note - The allowed-ips property is used only if ip-nospoof is enabled, as listed under VALUE. The allowed-dhcp-cids property is used only if dhcp-nospoof is enabled.

  2. View the link protection statistics.

    The output of the dlstat command is committed, so this command is suitable for scripts.

    # dlstat -A
...
 vnic0
  mac_misc_stat
               multircv                       0
              brdcstrcv                       0
               multixmt                       0
              brdcstxmt                       0
          multircvbytes                       0
           bcstrcvbytes                       0
          multixmtbytes                       0
           bcstxmtbytes                       0
               txerrors                       0
             macspoofed                       0  <----------
              ipspoofed                       0  <----------
            dhcpspoofed                       0  <----------
             restricted                       0  <----------
               ipackets                       3
                 rbytes                     182
...

    The output indicates that no spoofed or restricted packets have attempted to pass through.

    You might use the kstat command, but its output is not committed. For example, the following command finds the dhcpspoofed statistics:

    # kstat vnic0:0:link:dhcpspoofed
module: vnic0                           instance: 0
name:   link                            class:    vnic
        dhcpspoofed                     0

    For more information, see the dlstat(1M) and kstat(1M) man pages.

Copyright © 1999, 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next