I find the way that SmartOS does it is pretty nice. Each container gets its own private, virtual NIC, which sits on top of one of the physical NIC or an overlay network, and has its own networking stack. You can even enable layer 2 or layer 3 spoofing protection if you're in a multi-tenant situation, or just want to be more secure.