Deployment usage and performance of a network domain

Deployment usage and performance of a network domain

[Kashyap Thimmaraju]

[-- Attachment #1: Type: text/plain, Size: 1503 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

I'm Kashyap Thimmaraju, a second year PhD student at TU Berlin in
Germany. This is my first post here, and I'm a Xen newbie.

I saw George Dunlap's presentation "Securing Your Xen-Based Cloud" at
the LinuxCon on youtube recently as I am interested in using the
driver domain for networking.

In the presentation he proposed placing the network driver  and
forwarding functionality (bridge, iptables, etc.) into a (network)
driver domain. This is indeed good for security.

However, I am curious if people are really adopting such an approach.
Are there cloud providers or PV vendors deploying such an
architecture? If so, is there any impact on the networking performance
of say VM-VM or VM-Internet traffic?

Thanks,
- -- 
Kashyap Thimmaraju <kashyap.thimmaraju@sec.t-labs.tu-berlin.de>
Security in Telecommunications <sec.t-labs.tu-berlin.de>
TU Berlin / Telekom Innovation Laboratories
Ernst-Reuter-Platz 7, Sekr TEL 16 / D - 10587 Berlin, Germany
Phone: +49 30 8353 58351
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZOUP1AAoJEKEOZw+VIHXN8usH/RHhBw9xXSyp8zrxBcCOH+/G
o3maD+LV5fHBxKlAsSPOAV88LdZI9SKEUvChqj/pLESTEYzvGdc/wwShBepczMjm
XIiCb+B5WkXUOqNEwjERZAzhptnHH6asNbPTsPQm7u634LCncSmNrWHSEpZpMeCQ
+eAa52ywKO/ArXODUzKqhuFRVrdFeKASbGb3rL93cogOC1TDiSrdzX3mHUvJe9qJ
iRlKUaJi6IeNbxa29W1hbED/NJfg7lWFSBuB55glX08ORxsEk3MATnnHXeYw9VMk
Yxpg6zxsaqnYO60HCksSjeuj7KLyfEiWIELnRkBCdptpaPKfJnTilNdt1aD5ALw=
=jPVg
-----END PGP SIGNATURE-----

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: kashyap_thimmaraju.vcf --]
[-- Type: text/x-vcard; name="kashyap_thimmaraju.vcf", Size: 4 bytes --]

null

[-- Attachment #3: Type: text/plain, Size: 127 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: Deployment usage and performance of a network domain

[Dario Faggioli]

[-- Attachment #1.1: Type: text/plain, Size: 1949 bytes --]

On Thu, 2017-06-08 at 14:32 +0200, Kashyap Thimmaraju wrote:
> Hi,
> 
> I'm Kashyap Thimmaraju, a second year PhD student at TU Berlin in
> Germany. This is my first post here, and I'm a Xen newbie.
> 
> I saw George Dunlap's presentation "Securing Your Xen-Based Cloud" at
> the LinuxCon on youtube recently as I am interested in using the
> driver domain for networking.
> 
> In the presentation he proposed placing the network driver  and
> forwarding functionality (bridge, iptables, etc.) into a (network)
> driver domain. This is indeed good for security.
> 
> However, I am curious if people are really adopting such an approach.
> Are there cloud providers or PV vendors deploying such an
> architecture? If so, is there any impact on the networking
> performance
> of say VM-VM or VM-Internet traffic?
> 
I'm not aware of any cloud providers doing that (but, that's mostly
because there's not much info about how cloud providers configure their
infrastructure).

Driver domains and stubdomains are hugely used in contexts targeting
really strong security, like Qubes and OpenXT:

https://www.qubes-os.org/
http://openxt.org/

Qubes targets laptops. I've tried it on mine, which is quite old, and
the drop in perf, e.g., wrt a regular (as in, one that does not use
virtualization at all) Linux desktop, although present, I don't think
it comes too much from the driver domain(s).

I haven't run any benchmarks with it, but despite (as I said) the
laptop being quite old, the system is definitely usable.

I know less of OpenXT. The picture int the front page mentions multi-
tenancy (although, it also mention 'clients').

Regards,
Dario
-- 
<<This happens because I choose it to happen!>> (Raistlin Majere)
-----------------------------------------------------------------
Dario Faggioli, Ph.D, http://about.me/dario.faggioli
Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK)

[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

[-- Attachment #2: Type: text/plain, Size: 127 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: Deployment usage and performance of a network domain

[Kashyap Thimmaraju]

[-- Attachment #1: Type: text/plain, Size: 2590 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Dario,

Thank you for your answer.

On 08.06.2017 19:07, Dario Faggioli wrote:
> I'm not aware of any cloud providers doing that (but, that's
> mostly because there's not much info about how cloud providers
> configure their infrastructure).
This is true, and I agree there is little to no information on how
cloud providers deploy their virtualized infrastructure. I thought it
would be worth asking on the forum though.
> 
> Driver domains and stubdomains are hugely used in contexts
> targeting really strong security, like Qubes and OpenXT:
> 
> https://www.qubes-os.org/ http://openxt.org/
> 
> Qubes targets laptops. I've tried it on mine, which is quite old,
> and the drop in perf, e.g., wrt a regular (as in, one that does not
> use virtualization at all) Linux desktop, although present, I don't
> think it comes too much from the driver domain(s).
> 
> I haven't run any benchmarks with it, but despite (as I said) the 
> laptop being quite old, the system is definitely usable.
Thanks. I looked for a performance evaluation of such an architecture
but did not find anything. It would be good to know if there are some
meaningful numbers. The openxt example of having dedicated virtual
network domains for clients is indeed a good one but I could not find
any performance evaluation on that. Would you or anybody here happen
to know where I can find such information? The 2016 summit does not
have anything on it either.
> 
> I know less of OpenXT. The picture int the front page mentions
> multi- tenancy (although, it also mention 'clients').
Thanks for sharing those two links. They are indeed similar to what I
am looking for. The openxt webpage has several links on related tech.
as well which I found useful. That's actually where I found the link
to George Dunlap's presentation.

Thanks,
- -- 
Kashyap Thimmaraju <kashyap.thimmaraju@sec.t-labs.tu-berlin.de>
Security in Telecommunications <sec.t-labs.tu-berlin.de>
TU Berlin / Telekom Innovation Laboratories
Ernst-Reuter-Platz 7, Sekr TEL 16 / D - 10587 Berlin, Germany
Phone: +49 30 8353 58351
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZPk5uAAoJEKEOZw+VIHXNBngH/039UfIoVH1FKTSr6qKMjuIS
zLThT9RoTVzmTw2nQfVmAYwNw65Z1UOVP2mZcRbR1dFKKfzT9pzrmKZb8RNmd4jc
6yiuMnURv/R0M0kyVHlhEv5bdlbJTfXIK+K7vq8RY0xR/vnI6m5Cyc0ZzBb5XNis
/3YQL/HTSb502+g51zU91SogqFY+F9lcGA5yvkEY5ZU4P5SL7ZiAxrReOq0aeR1h
XQyhsVRE9GWKjluR3P5LsqNrydQfE8oOV9910VeB1VUYwNXfH5HUmA/uwdNBeL4v
JqMF6+kXSoBHI+uszo0hsPA4ewSxiXbtuRceQb7UaIX8zy3AOrc7ajLR7S7cuEU=
=9cRD
-----END PGP SIGNATURE-----

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: kashyap_thimmaraju.vcf --]
[-- Type: text/x-vcard; name="kashyap_thimmaraju.vcf", Size: 4 bytes --]

null

[-- Attachment #3: Type: text/plain, Size: 127 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: Deployment usage and performance of a network domain

[Dario Faggioli]

[-- Attachment #1.1: Type: text/plain, Size: 1854 bytes --]

On Mon, 2017-06-12 at 10:18 +0200, Kashyap Thimmaraju wrote:
> > Driver domains and stubdomains are hugely used in contexts
> > targeting really strong security, like Qubes and OpenXT:
> > 
> > https://www.qubes-os.org/ http://openxt.org/
> > 
> > Qubes targets laptops. I've tried it on mine, which is quite old,
> > and the drop in perf, e.g., wrt a regular (as in, one that does not
> > use virtualization at all) Linux desktop, although present, I don't
> > think it comes too much from the driver domain(s).
> > 
> > I haven't run any benchmarks with it, but despite (as I said) the 
> > laptop being quite old, the system is definitely usable.
> 
> Thanks. I looked for a performance evaluation of such an architecture
> but did not find anything. It would be good to know if there are some
> meaningful numbers. 
>
Well, I don't know of any either, but I have never looked. Fact is,
meaningfulness depends on what each of us needs and actually find
meaningful. So, it's entirely possible that no one has preformed before
the specific evaluation you would like to see...

> The openxt example of having dedicated virtual
> network domains for clients is indeed a good one but I could not find
> any performance evaluation on that. Would you or anybody here happen
> to know where I can find such information? The 2016 summit does not
> have anything on it either.
>
I think you should:
 - ask them directly,
 - begin considering doing some evaluation yourself. If you do, we're
   definitely interested in seeing what you will find out.

Regards,
Dario
-- 
<<This happens because I choose it to happen!>> (Raistlin Majere)
-----------------------------------------------------------------
Dario Faggioli, Ph.D, http://about.me/dario.faggioli
Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK)

[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

[-- Attachment #2: Type: text/plain, Size: 127 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: Deployment usage and performance of a network domain

[Kashyap Thimmaraju]

[-- Attachment #1: Type: text/plain, Size: 1517 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Dario,

Thank you for you for your suggestions. I agree, my choice of the word
meaningful was not objective. I will write to the folks at openxt,
consider conducting an evaluation myself, and share the results I get
here.

Thanks,

On 14.06.2017 10:10, Dario Faggioli wrote:
> Well, I don't know of any either, but I have never looked. Fact
> is, meaningfulness depends on what each of us needs and actually
> find meaningful. So, it's entirely possible that no one has
> preformed before the specific evaluation you would like to see...
> 
> I think you should: - ask them directly, - begin considering doing
> some evaluation yourself. If you do, we're definitely interested in
> seeing what you will find out.
> 
> Regards, Dario

- -- 
Kashyap Thimmaraju <kashyap.thimmaraju@sec.t-labs.tu-berlin.de>
Security in Telecommunications <sec.t-labs.tu-berlin.de>
TU Berlin / Telekom Innovation Laboratories
Ernst-Reuter-Platz 7, Sekr TEL 16 / D - 10587 Berlin, Germany
Phone: +49 30 8353 58351
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZQPAQAAoJEKEOZw+VIHXNcrcH/0JnplkxmJ8/xCCEx6Co2Vgq
jclTZGu2OpaGWzwEtC8QRsGnNyHQJuFemRoupGnqfKZRIPS+8mH+zbGFHXlfvRKE
0tGNbLdWlNo4zWgvVow3Rl/NvM1s7MJi4nYK9DUNl5PoMLpq3HapclHTwVj8NTzQ
W2LwX6ItU2fmLyv3iJaCblQHkqG6YoRECnbMBs5/VCqGyk7R/VScsqf8Pxx/9fPQ
loE7WMH6785yzvCFCgZOUEEz3iW9t2AjH72AyOSoLgkPRW/sTk91O+Qygdqt0i5n
PxJbw1qZebkfX+5wF0tsNfK0Wh1AbE5xfCFj4nN5J5zZUa7uKP+HGpGKUyFLcyk=
=zQY6
-----END PGP SIGNATURE-----

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: kashyap_thimmaraju.vcf --]
[-- Type: text/x-vcard; name="kashyap_thimmaraju.vcf", Size: 4 bytes --]

null

[-- Attachment #3: Type: text/plain, Size: 127 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel