From: Hannes Frederic Sowa <hannes@redhat.com>
To: Tom Herbert <tom@herbertland.com>,
Alexander Duyck <alexander.duyck@gmail.com>
Cc: Edward Cree <ecree@solarflare.com>,
David Miller <davem@davemloft.net>,
Alex Duyck <aduyck@mirantis.com>, Netdev <netdev@vger.kernel.org>,
intel-wired-lan <intel-wired-lan@lists.osuosl.org>,
Jesse Gross <jesse@kernel.org>,
Eugenia Emantayev <eugenia@mellanox.com>,
Jiri Benc <jbenc@redhat.com>,
Saeed Mahameed <saeedm@mellanox.com>,
Ariel Elior <ariel.elior@qlogic.com>,
Michael Chan <michael.chan@broadcom.com>,
Dept-GELinuxNICDev@qlogic.com
Subject: Re: [net-next PATCH v3 00/17] Future-proof tunnel offload handlers
Date: Tue, 21 Jun 2016 14:34:35 -0700 [thread overview]
Message-ID: <e0bf4896-d394-b1d0-1a0d-4affc3b0df4a@redhat.com> (raw)
In-Reply-To: <CALx6S34EXpxA5fs+HDUczMHaAD5q_yQMRVvwhCbSJCBO8_PRuQ@mail.gmail.com>
On 21.06.2016 11:42, Tom Herbert wrote:
>> > There is also some argument to be had for theory versus application.
>> > Arguably it is the customers that are leading to some of the dirty
>> > hacks as I think vendors are building NICs based on customer use cases
>> > versus following any specifications. In most data centers the tunnel
>> > underlays will be deployed throughout the network and UDP will likely
>> > be blocked for anything that isn't being used explicitly for
>> > tunneling. As such we seem to be seeing a lot of NICs that are only
>> > supporting one port for things like this instead of designing them to
>> > handle whatever we can throw at them.
>> >
> Actually, I don't believe that's true. It is not typical to deploy
> firewalls within a data center fabric, and nor do we restrict
> applications from binding to any UDP ports and they can pretty much
> transmit to any port on any host without cost using an unconnected UDP
> socket. I think it's more likely that NIC (and switch vendors) simply
> assumed that port numbers can be treated as global values. That's
> expedient and at small scale we can probably get away with it, but at
> large scale this will eventually bite someone.
I do have access to relatively normal expensive switches that can
basically be used to realize a scenario like the one Alex described. No
firewalls necessary. If you can guarantee that your customers never have
access to your hypervisors or container management namespace, this is
actually a pretty solid assumption.
Bye,
Hannes
WARNING: multiple messages have this Message-ID (diff)
From: Hannes Frederic Sowa <hannes@redhat.com>
To: intel-wired-lan@osuosl.org
Subject: [Intel-wired-lan] [net-next PATCH v3 00/17] Future-proof tunnel offload handlers
Date: Tue, 21 Jun 2016 14:34:35 -0700 [thread overview]
Message-ID: <e0bf4896-d394-b1d0-1a0d-4affc3b0df4a@redhat.com> (raw)
In-Reply-To: <CALx6S34EXpxA5fs+HDUczMHaAD5q_yQMRVvwhCbSJCBO8_PRuQ@mail.gmail.com>
On 21.06.2016 11:42, Tom Herbert wrote:
>> > There is also some argument to be had for theory versus application.
>> > Arguably it is the customers that are leading to some of the dirty
>> > hacks as I think vendors are building NICs based on customer use cases
>> > versus following any specifications. In most data centers the tunnel
>> > underlays will be deployed throughout the network and UDP will likely
>> > be blocked for anything that isn't being used explicitly for
>> > tunneling. As such we seem to be seeing a lot of NICs that are only
>> > supporting one port for things like this instead of designing them to
>> > handle whatever we can throw at them.
>> >
> Actually, I don't believe that's true. It is not typical to deploy
> firewalls within a data center fabric, and nor do we restrict
> applications from binding to any UDP ports and they can pretty much
> transmit to any port on any host without cost using an unconnected UDP
> socket. I think it's more likely that NIC (and switch vendors) simply
> assumed that port numbers can be treated as global values. That's
> expedient and at small scale we can probably get away with it, but at
> large scale this will eventually bite someone.
I do have access to relatively normal expensive switches that can
basically be used to realize a scenario like the one Alex described. No
firewalls necessary. If you can guarantee that your customers never have
access to your hypervisors or container management namespace, this is
actually a pretty solid assumption.
Bye,
Hannes
next prev parent reply other threads:[~2016-06-21 21:34 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-16 19:20 [net-next PATCH v3 00/17] Future-proof tunnel offload handlers Alexander Duyck
2016-06-16 19:20 ` [Intel-wired-lan] " Alexander Duyck
2016-06-16 19:20 ` [net-next PATCH v3 01/17] vxlan/geneve: Include udp_tunnel.h in vxlan/geneve.h and fixup includes Alexander Duyck
2016-06-16 19:20 ` [Intel-wired-lan] " Alexander Duyck
2016-06-16 23:06 ` Hannes Frederic Sowa
2016-06-16 23:06 ` [Intel-wired-lan] " Hannes Frederic Sowa
2016-06-16 19:20 ` [net-next PATCH v3 02/17] net: Combine GENEVE and VXLAN port notifiers into single functions Alexander Duyck
2016-06-16 19:20 ` [Intel-wired-lan] " Alexander Duyck
2016-06-16 22:45 ` Hannes Frederic Sowa
2016-06-16 22:45 ` [Intel-wired-lan] " Hannes Frederic Sowa
2016-06-16 19:21 ` [net-next PATCH v3 03/17] net: Merge VXLAN and GENEVE push notifiers into a single notifier Alexander Duyck
2016-06-16 19:21 ` [Intel-wired-lan] " Alexander Duyck
2016-06-16 22:47 ` Hannes Frederic Sowa
2016-06-16 22:47 ` [Intel-wired-lan] " Hannes Frederic Sowa
2016-06-16 19:21 ` [net-next PATCH v3 04/17] bnx2x: Move all UDP port notifiers to single function Alexander Duyck
2016-06-16 19:21 ` [Intel-wired-lan] " Alexander Duyck
2016-06-16 19:21 ` [net-next PATCH v3 05/17] bnxt: Update drivers to support unified UDP encapsulation offload functions Alexander Duyck
2016-06-16 19:21 ` [Intel-wired-lan] " Alexander Duyck
2016-06-16 19:21 ` [net-next PATCH v3 06/17] bnxt: Move GENEVE support from hard-coded port to using port notifier Alexander Duyck
2016-06-16 19:21 ` [Intel-wired-lan] " Alexander Duyck
2016-06-16 23:12 ` Michael Chan
2016-06-16 23:12 ` [Intel-wired-lan] " Michael Chan
2016-06-16 19:21 ` [net-next PATCH v3 07/17] benet: Replace ndo_add/del_vxlan_port with ndo_add/del_udp_enc_port Alexander Duyck
2016-06-16 19:21 ` [Intel-wired-lan] " Alexander Duyck
2016-06-16 19:21 ` [net-next PATCH v3 08/17] fm10k: " Alexander Duyck
2016-06-16 19:21 ` [Intel-wired-lan] " Alexander Duyck
2016-06-16 19:22 ` [net-next PATCH v3 09/17] i40e: Move all UDP port notifiers to single function Alexander Duyck
2016-06-16 19:22 ` [Intel-wired-lan] " Alexander Duyck
2016-06-16 19:22 ` [net-next PATCH v3 10/17] ixgbe: Replace ndo_add/del_vxlan_port with ndo_add/del_udp_enc_port Alexander Duyck
2016-06-16 19:22 ` [Intel-wired-lan] " Alexander Duyck
2016-06-16 19:22 ` [net-next PATCH v3 11/17] mlx4_en: " Alexander Duyck
2016-06-16 19:22 ` [Intel-wired-lan] " Alexander Duyck
2016-06-16 19:22 ` [net-next PATCH v3 12/17] mlx5_en: " Alexander Duyck
2016-06-16 19:22 ` [Intel-wired-lan] " Alexander Duyck
2016-06-16 19:22 ` [net-next PATCH v3 13/17] nfp: " Alexander Duyck
2016-06-16 19:22 ` [Intel-wired-lan] " Alexander Duyck
2016-06-16 19:22 ` [net-next PATCH v3 14/17] qede: Move all UDP port notifiers to single function Alexander Duyck
2016-06-16 19:22 ` [Intel-wired-lan] " Alexander Duyck
2016-06-16 19:23 ` [net-next PATCH v3 15/17] qlcnic: Replace ndo_add/del_vxlan_port with ndo_add/del_udp_enc_port Alexander Duyck
2016-06-16 19:23 ` [Intel-wired-lan] " Alexander Duyck
2016-06-16 19:23 ` [net-next PATCH v3 16/17] net: Remove deprecated tunnel specific UDP offload functions Alexander Duyck
2016-06-16 19:23 ` [Intel-wired-lan] " Alexander Duyck
2016-06-16 22:59 ` Hannes Frederic Sowa
2016-06-16 22:59 ` [Intel-wired-lan] " Hannes Frederic Sowa
2016-06-16 19:23 ` [net-next PATCH v3 17/17] vxlan: Add new UDP encapsulation offload type for VXLAN-GPE Alexander Duyck
2016-06-16 19:23 ` [Intel-wired-lan] " Alexander Duyck
2016-06-16 23:01 ` Hannes Frederic Sowa
2016-06-16 23:01 ` [Intel-wired-lan] " Hannes Frederic Sowa
2016-06-18 3:26 ` [net-next PATCH v3 00/17] Future-proof tunnel offload handlers David Miller
2016-06-18 3:26 ` [Intel-wired-lan] " David Miller
2016-06-20 17:05 ` Tom Herbert
2016-06-20 17:05 ` [Intel-wired-lan] " Tom Herbert
2016-06-20 18:11 ` Hannes Frederic Sowa
2016-06-20 18:11 ` [Intel-wired-lan] " Hannes Frederic Sowa
2016-06-20 19:27 ` Tom Herbert
2016-06-20 19:27 ` [Intel-wired-lan] " Tom Herbert
2016-06-20 21:36 ` Hannes Frederic Sowa
2016-06-20 21:36 ` [Intel-wired-lan] " Hannes Frederic Sowa
2016-06-20 21:45 ` Tom Herbert
2016-06-20 21:45 ` [Intel-wired-lan] " Tom Herbert
2016-06-21 8:34 ` David Miller
2016-06-21 8:34 ` [Intel-wired-lan] " David Miller
2016-06-21 8:22 ` David Miller
2016-06-21 8:22 ` [Intel-wired-lan] " David Miller
2016-06-21 10:41 ` Edward Cree
2016-06-21 10:41 ` [Intel-wired-lan] " Edward Cree
2016-06-21 15:23 ` Hannes Frederic Sowa
2016-06-21 15:23 ` [Intel-wired-lan] " Hannes Frederic Sowa
2016-06-21 17:05 ` Alexander Duyck
2016-06-21 17:05 ` [Intel-wired-lan] " Alexander Duyck
2016-06-21 17:27 ` Edward Cree
2016-06-21 17:27 ` [Intel-wired-lan] " Edward Cree
2016-06-21 17:40 ` Hannes Frederic Sowa
2016-06-21 17:40 ` [Intel-wired-lan] " Hannes Frederic Sowa
2016-06-21 18:17 ` Alexander Duyck
2016-06-21 18:17 ` [Intel-wired-lan] " Alexander Duyck
2016-06-21 18:42 ` Tom Herbert
2016-06-21 18:42 ` [Intel-wired-lan] " Tom Herbert
2016-06-21 21:34 ` Hannes Frederic Sowa [this message]
2016-06-21 21:34 ` Hannes Frederic Sowa
2016-06-21 18:23 ` Edward Cree
2016-06-21 18:23 ` [Intel-wired-lan] " Edward Cree
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e0bf4896-d394-b1d0-1a0d-4affc3b0df4a@redhat.com \
--to=hannes@redhat.com \
--cc=Dept-GELinuxNICDev@qlogic.com \
--cc=aduyck@mirantis.com \
--cc=alexander.duyck@gmail.com \
--cc=ariel.elior@qlogic.com \
--cc=davem@davemloft.net \
--cc=ecree@solarflare.com \
--cc=eugenia@mellanox.com \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=jbenc@redhat.com \
--cc=jesse@kernel.org \
--cc=michael.chan@broadcom.com \
--cc=netdev@vger.kernel.org \
--cc=saeedm@mellanox.com \
--cc=tom@herbertland.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.