From owner-freebsd-net@FreeBSD.ORG Mon May 26 09:45:11 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF9B837B401; Mon, 26 May 2003 09:45:11 -0700 (PDT) Received: from premijer.tel.fer.hr (premijer.tel.fer.hr [161.53.19.221]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1249143F93; Mon, 26 May 2003 09:45:11 -0700 (PDT) (envelope-from zec@tel.fer.hr) Received: from tel.fer.hr (unknown [161.53.243.135]) by premijer.tel.fer.hr (Postfix) with ESMTP id 802151404; Mon, 26 May 2003 18:44:50 +0200 (MET DST) Message-ID: <3ED2448D.88E08DBB@tel.fer.hr> Date: Mon, 26 May 2003 18:45:01 +0200 From: Marko Zec X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Vincent Jardin References: <3ED14BF3.139CAC32@tel.fer.hr> <200305260857.26994.vjardin@wanadoo.fr> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: hackers@freebsd.org cc: riccardo.scandariato@polito.it cc: net@freebsd.org Subject: Re: Network stack cloning / virtualization patches X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2003 16:45:12 -0000 Vincent Jardin wrote: > Since the last EuroBSD 2002 conference, there are 2 architectures to support > VPNs with FreeBSD : your patch and the Riccardo Scandariato one > (http://softeng.polito.it/freebsd/) that is very good too. > > From a VPN point of view, how could both projects be compared ? > Do you think that both projects could be merged or are there too much > differences between your two projects ? Riccardo's VPN patches were designed specifically for supporting VPNs by basically virtualizing only the IP routing tables. The network stack cloning model is more generic, as it doesn't stop at the virtualization of the routing tables, but rather also provides multiple independent network interface lists, inbound queues, hash & PCB tables, IPFW rulesets, sysctl tunables, traffic counters / statistics etc. But the basic implementation idea and the motivation is quite similar for both frameworks, and they can both support IP-tunnel based overlay VPNs with overlapping addresing spaces. >From the userland API perspective the two approaches are slightly different. Riccardo's patches extended the socket API, so that the applications which require to operate on virtualized routing tables have also to be modified and recompiled. My model provides a single management utility which can be used to spawn new processes bound to a specific network stack instance. Once the processes are assigned to a network stack, all existing userland applications and utilities can operate on that stack without any modifications. Although the described two approaches might seem to follow fundamentally different ideas, IMO both frameworks could be easily modified to adopt the userland API convention of the other, if necessary. Marko