* [discuss] Re: Flushing ippools
@ 2024-09-30 18:52 d
2024-10-01 14:19 ` Till Wegmüller
0 siblings, 1 reply; 2+ messages in thread
From: d @ 2024-09-30 18:52 UTC (permalink / raw)
To: discuss
(oops, my system doesn't respond correctly to list messages)
From what I've learned, Oxide's OPTE system isn't really a replacement
for ipf, although it could provide incredible features and benefits, or
some of the internals may apply.
If I'm understanding Oxide's system correctly, OPTE lets Oxide's bespoke
Intel Tofino hardware, or a software emulator encapsulate all traffic
destined for a machine in a ipv6 packet. They then route the packet in
their network using ipv6 routing which seems to provide extremely
efficient routing, or re-directing if necessary when a vm migrates.
I'm a little cloudy on this, but they may have developed a firewall
scheme that will share any firewall processing beyond what the Intel
Tofino can handle between many machines rather than having the
destination machine need to handle all of it.
Finally, the packets that make it through the firewall arrive at an OPTE
thread on each vm, where the packet escapes its encapsulation, and is
passed to the system/vm.
The best overview I could quickly find detailing their networking scheme
is here:
https://rfd.shared.oxide.computer/rfd/0021
------------------------------------------
illumos: illumos-discuss
Permalink: https://illumos.topicbox.com/groups/discuss/T0a8179388427922c-M9b72a0d98f4e993e94fa9486
Delivery options: https://illumos.topicbox.com/groups/discuss/subscription
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [discuss] Re: Flushing ippools
2024-09-30 18:52 [discuss] Re: Flushing ippools d
@ 2024-10-01 14:19 ` Till Wegmüller
0 siblings, 0 replies; 2+ messages in thread
From: Till Wegmüller @ 2024-10-01 14:19 UTC (permalink / raw)
To: discuss
OPTE as the name implies is an Engine. It does what you say but more can
be implemented with it depending on your p4 rules and scheme. Same way
as IPF has a filter rule engine. OPTE has a tranformation engine. I
think The Scheme you mentioned is the Microsoft VPC paper they
implemented inside OPTE. Somebody from Oxide would need to chip in with
the details on how well researches this is though :)
As to performance XDP is also in the Oxide trees which may be
independant from opte but I haven't managed to look into it's details.
-Till
On 30.09.24 20:52, d wrote:
> (oops, my system doesn't respond correctly to list messages)
>
> From what I've learned, Oxide's OPTE system isn't really a replacement
> for ipf, although it could provide incredible features and benefits, or
> some of the internals may apply.
>
> If I'm understanding Oxide's system correctly, OPTE lets Oxide's bespoke
> Intel Tofino hardware, or a software emulator encapsulate all traffic
> destined for a machine in a ipv6 packet. They then route the packet in
> their network using ipv6 routing which seems to provide extremely
> efficient routing, or re-directing if necessary when a vm migrates.
>
> I'm a little cloudy on this, but they may have developed a firewall
> scheme that will share any firewall processing beyond what the Intel
> Tofino can handle between many machines rather than having the
> destination machine need to handle all of it.
>
> Finally, the packets that make it through the firewall arrive at an OPTE
> thread on each vm, where the packet escapes its encapsulation, and is
> passed to the system/vm.
>
> The best overview I could quickly find detailing their networking scheme
> is here:
>
> https://rfd.shared.oxide.computer/rfd/0021
------------------------------------------
illumos: illumos-discuss
Permalink: https://illumos.topicbox.com/groups/discuss/T0a8179388427922c-Mbef56ab3ea8aabf5e3a497c4
Delivery options: https://illumos.topicbox.com/groups/discuss/subscription
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-10-01 14:22 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-09-30 18:52 [discuss] Re: Flushing ippools d
2024-10-01 14:19 ` Till Wegmüller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).