lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 13 Nov 2019 14:40:49 +0200
From:   Vladimir Oltean <olteanv@...il.com>
To:     netdev <netdev@...r.kernel.org>
Subject: Offloading DSA taggers to hardware

DSA is all about pairing any tagging-capable (or at least VLAN-capable) switch
to any NIC, and the software stack creates N "virtual" net devices, each
representing a switch port, with I/O capabilities based on the metadata present
in the frame. It all looks like an hourglass:

  switch           switch           switch           switch           switch
net_device       net_device       net_device       net_device       net_device
     |                |                |                |                |
     |                |                |                |                |
     |                |                |                |                |
     +----------------+----------------+----------------+----------------+
                                       |
                                       |
                                  DSA master
                                  net_device
                                       |
                                       |
                                  DSA master
                                      NIC
                                       |
                                    switch
                                   CPU port
                                       |
                                       |
     +----------------+----------------+----------------+----------------+
     |                |                |                |                |
     |                |                |                |                |
     |                |                |                |                |
  switch           switch           switch           switch           switch
   port             port             port             port             port


But the process by which the stack:
- Parses the frame on receive, decodes the DSA tag and redirects the frame from
  the DSA master net_device to a switch net_device based on the source port,
  then removes the DSA tag from the frame and recalculates checksums as
  appropriate
- Adds the DSA tag on xmit, then redirects the frame from the "virtual" switch
  net_device to the real DSA master net_device

can be optimized, if the DSA master NIC supports this. Let's say there is a
fictional NIC that has a programmable hardware parser and the ability to
perform frame manipulation (insert, extract a tag). Such a NIC could be
programmed to do a better job adding/removing the DSA tag, as well as
masquerading skb->dev based on the parser meta-data. In addition, there would
be a net benefit for QoS, which as a consequence of the DSA model, cannot be
really end-to-end: a frame classified to a high-priority traffic class by the
switch may be treated as best-effort by the DSA master, due to the fact that it
doesn't really parse the DSA tag (the traffic class, in this case).

I think the DSA hotpath would still need to be involved, but instead of calling
the tagger's xmit/rcv it would need to call a newly introduced ndo that
offloads this operation.

Is there any hardware out there that can do this? Is it desirable to see
something like this in DSA?

Regards,
-Vladimir

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ