| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 27 Mar 2013 14:30:17 -0700 From: Jesse Gross <jesse@...ira.com> To: David Stevens <dlstevens@...ibm.com> Cc: Alexander Duyck <alexander.h.duyck@...el.com>, David Miller <davem@...emloft.net>, "Gasparakis, Joseph" <joseph.gasparakis@...el.com>, netdev <netdev@...r.kernel.org>, netdev-owner@...r.kernel.org, pshelar@...ira.com, Stephen Hemminger <shemminger@...tta.com> Subject: Re: Is there a preferred way to get the VXLAN port number? On Wed, Mar 27, 2013 at 12:01 PM, David Stevens <dlstevens@...ibm.com> wrote: > netdev-owner@...r.kernel.org wrote on 03/27/2013 02:32:59 PM: > >> The main think I want to do is keep this simple since I would prefer to >> not build up any infrastructure that will just get in the way. My >> thought for now is to just export a function to allow drivers to fetch >> the port number of VXLAN. The only downside is that it forces the VXLAN >> module to load if a driver comes up with offload support, similar to how >> we have been loading the 8021q module for many of the drivers that >> support VLAN offloads. Hopefully if the fixed port number approach wins >> out we can simplify things by replacing the function call with a static >> define. > > I guess you mean you need to find it within the kernel. > > I think whether or not it remains a single port for the machine, > it would be just silly to make it a fixed port, period. Virtually any > service allows an administrator to specify an alternate port to run a > service on. > I think one of the primary reasons is that you may want to run > more than one instance on the same host (e.g., a sandbox installation > alongside a production installation) -- a capability not there now, > even though you can specify an alternate port now. > But if for whatever reason an adminstrator cares that it uses > a particular port number, even in a single instance, there is no > technical reason to disallow it. It'd be bad to assume all VXLAN > must be on the particular port, and equally bad to assume all traffic > for that port is VXLAN (esp. on a host that is not using VXLAN at all, > but very well may want to use a lot of ports, including 8472). > > I think it ought to be fully general -- different devices may > use different ports and one device may use multiple listeners on different > ports (to split flows for security, load balancing, or whatever). > I'd make it a per-device function interface that gives you a port > list > for that device (e.g., an array and length or count). Right now, all > devices > would return the single module parameter value, but in the future those > ought > to be capable of being entirely distinct lists of ports. Agreed, the likelihood of a single port winning in the foreseeable future seems low and not really consistent with the usage of other L4 ports. Even settling on a single tunneling protocol is unlikely to happen, so I don't think this problem is specific to VXLAN. From a layering perspective, it also seems better to have the protocol implementation tell the driver what to use rather than inferring it the other way around. As far as GRO/RPS, we really want to do this as early in the processing path as possible and not wait until the socket lookup since the more work we do first, the less the benefit. I think the position in the stack for both the hardware and software versions are very analogous. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists