| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 7 Aug 2009 19:44:05 +0000 From: "Fischer, Anna" <anna.fischer@...com> To: Stephen Hemminger <shemminger@...tta.com>, "Paul Congdon (UC Davis)" <ptcongdon@...avis.edu> CC: "drobbins@...too.org" <drobbins@...too.org>, "'Paul Congdon (UC Davis)'" <ptcongdon@...avis.edu>, 'Arnd Bergmann' <arnd@...db.de>, "herbert@...dor.apana.org.au" <herbert@...dor.apana.org.au>, "mst@...hat.com" <mst@...hat.com>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "bridge@...ts.linux-foundation.org" <bridge@...ts.linux-foundation.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "ogerlitz@...taire.com" <ogerlitz@...taire.com>, "evb@...oogroups.com" <evb@...oogroups.com>, "davem@...emloft.net" <davem@...emloft.net> Subject: RE: [Bridge] [PATCH] macvlan: add tap device backend > Subject: Re: [Bridge] [PATCH] macvlan: add tap device backend > > On Fri, 7 Aug 2009 12:10:07 -0700 > "Paul Congdon \(UC Davis\)" <ptcongdon@...avis.edu> wrote: > > > Responding to Daniel's questions... > > > > > I have some general questions about the intended use and benefits > of > > > VEPA, from an IT perspective: > > > > > > In which virtual machine setups and technologies do you forsee this > > > interface being used? > > > > The benefit of VEPA is the coordination and unification with the > external network switch. So, in environments where you are > needing/wanting your feature rich, wire speed, external network device > (firewall/switch/IPS/content-filter) to provide consistent policy > enforcement, and you want your VMs traffic to be subject to that > enforcement, you will want their traffic directed externally. Perhaps > you have some VMs that are on a DMZ or clustering an application or > implementing a multi-tier application where you would normally place a > firewall in-between the tiers. > > I do have to raise the point that Linux is perfectly capable of keeping > up without > the need of an external switch. Whether you want policy external or > internal is > a architecture decision that should not be driven by mis-information > about performance. VEPA is not only about enabling faster packet processing (like firewall/switch/IPS/content-filter etc) by doing this on the external switch. Due to rather low performance of software-based I/O virtualization approaches a lot of effort has recently been going into hardware-based implementations of virtual network interfaces like SRIOV NICs provide. Without VEPA, such a NIC would have to implement sophisticated virtual switching capabilities. VEPA however is very simple and therefore perfectly suited for a hardware-based implementation. So in the future, it will give you direct I/O like performance and all the capabilities your adjacent switch provides. Anna -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists