public inbox for discuss@lists.illumos.org (since 2011-08)
 help / color / mirror / Atom feed
* [discuss] Re: Flushing ippools
@ 2024-09-30 18:52 d
  2024-10-01 14:19 ` Till Wegmüller
  0 siblings, 1 reply; 2+ messages in thread
From: d @ 2024-09-30 18:52 UTC (permalink / raw)
  To: discuss

(oops, my system doesn't respond correctly to list messages)

 From what I've learned, Oxide's OPTE system isn't really a replacement 
for ipf, although it could provide incredible features and benefits, or 
some of the internals may apply.

If I'm understanding Oxide's system correctly, OPTE lets Oxide's bespoke 
Intel Tofino hardware, or a software emulator encapsulate all traffic 
destined for a machine in a ipv6 packet. They then route the packet in 
their network using ipv6 routing which seems to provide extremely 
efficient routing, or re-directing if necessary when a vm migrates.

I'm a little cloudy on this, but they may have developed a firewall 
scheme  that will share any firewall processing beyond what the Intel 
Tofino can handle between many machines rather than having the 
destination machine need to handle all of it.

Finally, the packets that make it through the firewall arrive at an OPTE 
thread on each vm, where the packet escapes its encapsulation, and is 
passed to the system/vm.

The best overview I could quickly find detailing their networking scheme 
is here:

https://rfd.shared.oxide.computer/rfd/0021

------------------------------------------
illumos: illumos-discuss
Permalink: https://illumos.topicbox.com/groups/discuss/T0a8179388427922c-M9b72a0d98f4e993e94fa9486
Delivery options: https://illumos.topicbox.com/groups/discuss/subscription

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [discuss] Re: Flushing ippools
  2024-09-30 18:52 [discuss] Re: Flushing ippools d
@ 2024-10-01 14:19 ` Till Wegmüller
  0 siblings, 0 replies; 2+ messages in thread
From: Till Wegmüller @ 2024-10-01 14:19 UTC (permalink / raw)
  To: discuss

OPTE as the name implies is an Engine. It does what you say but more can 
be implemented with it depending on your p4 rules and scheme. Same way 
as IPF has a filter rule engine. OPTE has a tranformation engine. I 
think The Scheme you mentioned is the Microsoft VPC paper they 
implemented inside OPTE. Somebody from Oxide would need to chip in with 
the details on how well researches this is though :)

As to performance XDP is also in the Oxide trees which may be 
independant from opte but I haven't managed to look into it's details.

-Till

On 30.09.24 20:52, d wrote:
> (oops, my system doesn't respond correctly to list messages)
> 
> From what I've learned, Oxide's OPTE system isn't really a replacement
> for ipf, although it could provide incredible features and benefits, or
> some of the internals may apply.
> 
> If I'm understanding Oxide's system correctly, OPTE lets Oxide's bespoke
> Intel Tofino hardware, or a software emulator encapsulate all traffic
> destined for a machine in a ipv6 packet. They then route the packet in
> their network using ipv6 routing which seems to provide extremely
> efficient routing, or re-directing if necessary when a vm migrates.
> 
> I'm a little cloudy on this, but they may have developed a firewall
> scheme  that will share any firewall processing beyond what the Intel
> Tofino can handle between many machines rather than having the
> destination machine need to handle all of it.
> 
> Finally, the packets that make it through the firewall arrive at an OPTE
> thread on each vm, where the packet escapes its encapsulation, and is
> passed to the system/vm.
> 
> The best overview I could quickly find detailing their networking scheme
> is here:
> 
> https://rfd.shared.oxide.computer/rfd/0021

------------------------------------------
illumos: illumos-discuss
Permalink: https://illumos.topicbox.com/groups/discuss/T0a8179388427922c-Mbef56ab3ea8aabf5e3a497c4
Delivery options: https://illumos.topicbox.com/groups/discuss/subscription

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2024-10-01 14:22 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-09-30 18:52 [discuss] Re: Flushing ippools d
2024-10-01 14:19 ` Till Wegmüller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).