From owner-freebsd-net@FreeBSD.ORG  Wed Aug 10 13:30:39 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 46C3016A420;
	Wed, 10 Aug 2005 13:30:39 +0000 (GMT)
	(envelope-from ck-lists@cksoft.de)
Received: from mx11.cksoft.de (mx11.cksoft.de [62.111.66.11])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CAB5443D46;
	Wed, 10 Aug 2005 13:30:37 +0000 (GMT)
	(envelope-from ck-lists@cksoft.de)
Received: from vesihiisi.cksoft.de (unknown [192.168.64.10])
	(using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
	(No client certificate requested)
	by mx12.cksoft.de (Postfix) with ESMTP id 407E0B85B;
	Wed, 10 Aug 2005 15:30:38 +0200 (CEST)
Received: from vesihiisi.cksoft.de (localhost [127.0.0.1])
	by vesihiisi.cksoft.de (Postfix) with ESMTP
	id 36A0E1EB5; Wed, 10 Aug 2005 15:30:36 +0200 (CEST)
Received: by vesihiisi.cksoft.de (Postfix, from userid 1000)
	id 0EDB21EAC; Wed, 10 Aug 2005 15:30:33 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by vesihiisi.cksoft.de (Postfix) with ESMTP
	id 0CFDB1EAB; Wed, 10 Aug 2005 15:30:33 +0200 (CEST)
Date: Wed, 10 Aug 2005 15:30:32 +0200 (CEST)
From: Christian Kratzer <ck-lists@cksoft.de>
X-X-Sender: ck@vesihiisi.cksoft.de
To: Andre Oppermann <andre@freebsd.org>
In-Reply-To: <42F9F9BF.879994D2@freebsd.org>
Message-ID: <20050810151547.X97974@vesihiisi.cksoft.de>
References: <1123040973.95445.TMDA@seddon.ca> <200508091104.06572.zec@icir.org>
	<42F8A487.67183CA6@freebsd.org> <200508091737.32391.zec@icir.org>
	<42F8D8ED.11A196FC@freebsd.org>
	<20050809211537.GX45385@obiwan.tataz.chchile.org>
	<42F9E1FB.3ECF023E@freebsd.org>
	<20050810144407.F97974@vesihiisi.cksoft.de>
	<42F9F9BF.879994D2@freebsd.org>
X-Spammer-Kill-Ratio: 75%
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on vesihiisi.cksoft.de
Cc: freebsd-net@freebsd.org, Marko Zec <zec@icir.org>,
	Jeremie Le Hen <jeremie@le-hen.org>
Subject: Re: Stack virtualization (was: running out of mbufs?)
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Christian Kratzer <ck@cksoft.de>
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Aug 2005 13:30:39 -0000

Hi,

On Wed, 10 Aug 2005, Andre Oppermann wrote:

> Christian Kratzer wrote:
>> please consider that routing is not everything.
>
> Routing is the primary scope of my IP work.  It doesn't preclude Marko's
> approach from being implemented and working as it does for 4.11.

I fully understand that you mostly focus on your primary goals especially
now that you have specific funding for that.

>> Marcos patch as I understand it, also addresses the application of having
>> clean and separate ip stacks in each jail.  The current jail implementation
>> has to use ugly hacks to give correct semantics to things like INADDR_ANY.
>>
>> We also currently do not have a clean way of associating multiple ipv4
>> addresses to jail and having correct sematics for INADDR_ANY.
>
> The problem with jails is that they are based on an IP address instead
> of a (virtual) interface.  I think interface groups and virtual interfaces
> can help here a lot.

Yes the current implementation is like that which is quite hackish.

As I read Marcos comments and his FAQ his patch only bind sockets to 
ip stacks and sockets to processes and thus jails.

>> And of course IPv6 for jails is something that could propably be solved
>> in a very clean way using virtual ip stacks as in Marcos patch.
>
> I'll cook something up that uses interface groups and then you can judge
> whether it meets you needs or not.  It would be more lightwigth than having
> a full network stack per jail.

Yes I can imagine Interface groups coming in handy in firewall setups. 
You will propably not be able to provide clean semantics for INADDR_ANY with 
anything but a dedicated virtual stack.

A full network stack per jail provides the same semantics as in an
environment without jails and all the security of clean separation.
A little overhead for security is something I am very willing to pay ;)

>> For above reasons I would prefer a clean implementation of full network
>> stack virtualisation to something that justs adds names to interfaces.
>
> Be my guest.  For my funded work this is out of scope.

I understand that.  My only concern is that we will somehow close the
door on full network stack virtualisation coming to freebsd.

Looking forward to your paper.

Greetings
Christian

-- 
Christian Kratzer                       ck@cksoft.de
CK Software GmbH                        http://www.cksoft.de/
Phone: +49 7452 889 135                 Fax: +49 7452 889 136