From owner-freebsd-net@FreeBSD.ORG Wed Aug 10 13:30:39 2005 Return-Path: <owner-freebsd-net@FreeBSD.ORG> X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 46C3016A420; Wed, 10 Aug 2005 13:30:39 +0000 (GMT) (envelope-from ck-lists@cksoft.de) Received: from mx11.cksoft.de (mx11.cksoft.de [62.111.66.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAB5443D46; Wed, 10 Aug 2005 13:30:37 +0000 (GMT) (envelope-from ck-lists@cksoft.de) Received: from vesihiisi.cksoft.de (unknown [192.168.64.10]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by mx12.cksoft.de (Postfix) with ESMTP id 407E0B85B; Wed, 10 Aug 2005 15:30:38 +0200 (CEST) Received: from vesihiisi.cksoft.de (localhost [127.0.0.1]) by vesihiisi.cksoft.de (Postfix) with ESMTP id 36A0E1EB5; Wed, 10 Aug 2005 15:30:36 +0200 (CEST) Received: by vesihiisi.cksoft.de (Postfix, from userid 1000) id 0EDB21EAC; Wed, 10 Aug 2005 15:30:33 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by vesihiisi.cksoft.de (Postfix) with ESMTP id 0CFDB1EAB; Wed, 10 Aug 2005 15:30:33 +0200 (CEST) Date: Wed, 10 Aug 2005 15:30:32 +0200 (CEST) From: Christian Kratzer <ck-lists@cksoft.de> X-X-Sender: ck@vesihiisi.cksoft.de To: Andre Oppermann <andre@freebsd.org> In-Reply-To: <42F9F9BF.879994D2@freebsd.org> Message-ID: <20050810151547.X97974@vesihiisi.cksoft.de> References: <1123040973.95445.TMDA@seddon.ca> <200508091104.06572.zec@icir.org> <42F8A487.67183CA6@freebsd.org> <200508091737.32391.zec@icir.org> <42F8D8ED.11A196FC@freebsd.org> <20050809211537.GX45385@obiwan.tataz.chchile.org> <42F9E1FB.3ECF023E@freebsd.org> <20050810144407.F97974@vesihiisi.cksoft.de> <42F9F9BF.879994D2@freebsd.org> X-Spammer-Kill-Ratio: 75% MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on vesihiisi.cksoft.de Cc: freebsd-net@freebsd.org, Marko Zec <zec@icir.org>, Jeremie Le Hen <jeremie@le-hen.org> Subject: Re: Stack virtualization (was: running out of mbufs?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Christian Kratzer <ck@cksoft.de> List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>, <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net> List-Post: <mailto:freebsd-net@freebsd.org> List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>, <mailto:freebsd-net-request@freebsd.org?subject=subscribe> X-List-Received-Date: Wed, 10 Aug 2005 13:30:39 -0000 Hi, On Wed, 10 Aug 2005, Andre Oppermann wrote: > Christian Kratzer wrote: >> please consider that routing is not everything. > > Routing is the primary scope of my IP work. It doesn't preclude Marko's > approach from being implemented and working as it does for 4.11. I fully understand that you mostly focus on your primary goals especially now that you have specific funding for that. >> Marcos patch as I understand it, also addresses the application of having >> clean and separate ip stacks in each jail. The current jail implementation >> has to use ugly hacks to give correct semantics to things like INADDR_ANY. >> >> We also currently do not have a clean way of associating multiple ipv4 >> addresses to jail and having correct sematics for INADDR_ANY. > > The problem with jails is that they are based on an IP address instead > of a (virtual) interface. I think interface groups and virtual interfaces > can help here a lot. Yes the current implementation is like that which is quite hackish. As I read Marcos comments and his FAQ his patch only bind sockets to ip stacks and sockets to processes and thus jails. >> And of course IPv6 for jails is something that could propably be solved >> in a very clean way using virtual ip stacks as in Marcos patch. > > I'll cook something up that uses interface groups and then you can judge > whether it meets you needs or not. It would be more lightwigth than having > a full network stack per jail. Yes I can imagine Interface groups coming in handy in firewall setups. You will propably not be able to provide clean semantics for INADDR_ANY with anything but a dedicated virtual stack. A full network stack per jail provides the same semantics as in an environment without jails and all the security of clean separation. A little overhead for security is something I am very willing to pay ;) >> For above reasons I would prefer a clean implementation of full network >> stack virtualisation to something that justs adds names to interfaces. > > Be my guest. For my funded work this is out of scope. I understand that. My only concern is that we will somehow close the door on full network stack virtualisation coming to freebsd. Looking forward to your paper. Greetings Christian -- Christian Kratzer ck@cksoft.de CK Software GmbH http://www.cksoft.de/ Phone: +49 7452 889 135 Fax: +49 7452 889 136