| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20150828102042.GF32206@pox.localdomain> Date: Fri, 28 Aug 2015 12:20:42 +0200 From: Thomas Graf <tgraf@...g.ch> To: Tom Herbert <tom@...bertland.com> Cc: Jiri Benc <jbenc@...hat.com>, David Miller <davem@...emloft.net>, Linux Kernel Network Developers <netdev@...r.kernel.org> Subject: Re: [PATCH net-next] route: fix breakage after moving lwtunnel state On 08/27/15 at 02:20pm, Tom Herbert wrote: > I'm doing: > > ip route add 3333:0:0:1:5555:0:2:0/128 encap ila 2001:0:0:2 via > 2401:db00:20:911a:face:0:27:0 > > so that 2401:db00:20:911a:face:0:27:0 is the next hop route for > destination 2001:0:0:2:5555:0:2:0. The dst_output for lwt just calls > the original dest_output after transforming the packet without the use > of any additional routes. So in this way ILA LWT is just acting as a > "pass-through" packet transformation mechanism. Such a model might > have additional utility: LWT occurs before iptables so that iptables > sees the translated or encapsulated packet (davem mentioned this is > probably what we want), we may want to defer translation until IP > fragmentation (Roopa mentioned she needs this for MPLS). > > > The IP metadata encap at FIB level is currently encap agnostic > > and requires an intermediate encap device which then defines the > > actual encap protocol: > > > > ip route overlay/prefix encap ip dst 10.1.1.1 dev vxlan0 > > ip route 10.1.1.1/prefix dev eth0 > > > But then your outputting through another device, multiple routes are > involved, performance drops :-( What not just set the route through > VXLAN in that case? The problem with having a single route is that it doesn't allow to separate management of overlay and underlay. It is common to manage the underlay with Quagga, bird or even static routes and defer the overlay to Neutron or a fancy container orchestration system. Caching of the 10.1.1.1 nexthop route in the overlay route would essentially lead to the same behaviour without requiring to hardcode the nexthop. I should have patches to demonstrate this in a bit. > > I like it because we don't have to embed all the options as metadata > > and can still set the through the device. An option would also be > > to allow for both and add the following alternative: > > > > ip route overlay/prefix encap ip type vxlan dst 10.1.1.1 dev eth0 > > Better, we should be able to send encapsulated packets with needing a device. Why is the device itself bad? I understand that we want to minimize overhead but why is a single logical device to keep common config and stats undesirable? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists