| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 7 Aug 2009 13:17:31 -0700 (PDT) From: david@...g.hm To: "Fischer, Anna" <anna.fischer@...com> cc: Stephen Hemminger <shemminger@...tta.com>, "Paul Congdon (UC Davis)" <ptcongdon@...avis.edu>, "drobbins@...too.org" <drobbins@...too.org>, "'Arnd Bergmann'" <arnd@...db.de>, "herbert@...dor.apana.org.au" <herbert@...dor.apana.org.au>, "mst@...hat.com" <mst@...hat.com>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "bridge@...ts.linux-foundation.org" <bridge@...ts.linux-foundation.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "ogerlitz@...taire.com" <ogerlitz@...taire.com>, "evb@...oogroups.com" <evb@...oogroups.com>, "davem@...emloft.net" <davem@...emloft.net> Subject: RE: [Bridge] [PATCH] macvlan: add tap device backend On Fri, 7 Aug 2009, Fischer, Anna wrote: > Subject: RE: [Bridge] [PATCH] macvlan: add tap device backend > >> Subject: Re: [Bridge] [PATCH] macvlan: add tap device backend >> >> On Fri, 7 Aug 2009 12:10:07 -0700 >> "Paul Congdon \(UC Davis\)" <ptcongdon@...avis.edu> wrote: >> >>> Responding to Daniel's questions... >>> >>>> I have some general questions about the intended use and benefits >> of >>>> VEPA, from an IT perspective: >>>> >>>> In which virtual machine setups and technologies do you forsee this >>>> interface being used? >>> >>> The benefit of VEPA is the coordination and unification with the >> external network switch. So, in environments where you are >> needing/wanting your feature rich, wire speed, external network device >> (firewall/switch/IPS/content-filter) to provide consistent policy >> enforcement, and you want your VMs traffic to be subject to that >> enforcement, you will want their traffic directed externally. Perhaps >> you have some VMs that are on a DMZ or clustering an application or >> implementing a multi-tier application where you would normally place a >> firewall in-between the tiers. >> >> I do have to raise the point that Linux is perfectly capable of keeping >> up without >> the need of an external switch. Whether you want policy external or >> internal is >> a architecture decision that should not be driven by mis-information >> about performance. > > VEPA is not only about enabling faster packet processing (like firewall/switch/IPS/content-filter etc) by doing this on the external switch. > > Due to rather low performance of software-based I/O virtualization approaches a lot of effort has recently been going into hardware-based implementations of virtual network interfaces like SRIOV NICs provide. Without VEPA, such a NIC would have to implement sophisticated virtual switching capabilities. VEPA however is very simple and therefore perfectly suited for a hardware-based implementation. So in the future, it will give you direct I/O like performance and all the capabilities your adjacent switch provides. > the performance overhead isn't from switching the packets, it's from running the firewall/IDS/etc software on the same system. with VEPA the communications from one VM to another VM running on the same host will be forced to go out the interface to the datacenter switching fabric. The overall performance of the network link will be slightly slower, but it allows for other devices to be inserted into the path. this is something that I would want available if I were to start using VMs for things. I don't want to have to duplicate my IDS/firewalling functions within each host system as well as having them as part of the switching fabric. David Lang -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists