AAScratch: Difference between revisions

From Libreswan
Jump to navigation Jump to search
No edit summary
No edit summary
Line 13: Line 13:


= KVM/QEMU =
= KVM/QEMU =
== KVM/QEMU virtio-fs is an alternative to 9pfs: ==
== virtio-fs is an alternative to 9pfs in KVM/QEMU: ==


In January 2021, I did a few quick initial tests. The results are promising. The performance was great. Building libreswan was quick 44/240 seconds. It might also possible to boot from a host directory. In combination with btrfs could be a good choice.  
In January 2021, I tried it. I am happy with the initial results. The performance was great. Building libreswan was quick 44/240 seconds. It might also possible to boot from a host directory. In combination with btrfs could be a good choice.  


* Missing features  virt-install do not have necessary support to create VM with right options such as NUMA settings, big memory [https://libvirt.org/kbase/virtiofs.html libvirtd].
* Missing features  virt-install do not have necessary support to create VM with right options such as NUMA settings, big memory [https://libvirt.org/kbase/virtiofs.html libvirtd].
* Systemd mount services seems to miss support.
* Systemd mount services seems to miss support.
* virtio-fs can also be [https://virtio-fs.gitlab.io/howto-boot.html root fs]. Then boot the KVM from kernel(vmlinuz) the host.


Require Fedora 33: libvirt 6.2, qemu 5.0, kernel 5.4
Requirement: Fedora 33 - libvirt 6.2, qemu 5.0, kernel 5.4
* [https://libvirt.org/news.html libvirt 6.2] Fedora 33. [https://src.fedoraproject.org/rpms/libvirt F33]
* [https://libvirt.org/news.html libvirt 6.2] Fedora 33. [https://src.fedoraproject.org/rpms/libvirt F33]
* [https://bugzilla.redhat.com/show_bug.cgi?id=1694166 RH BZ libvirtd merge] tracking the request
* [https://bugzilla.redhat.com/show_bug.cgi?id=1694166 RH BZ libvirtd merge] tracking the request

Revision as of 20:57, 13 January 2021

Antony's unsorted pages that I want to access quickly. These are mostly related to IPsec/libreswan and when I think I know this page exist but where is it.

KVM/QEMU

virtio-fs is an alternative to 9pfs in KVM/QEMU:

In January 2021, I tried it. I am happy with the initial results. The performance was great. Building libreswan was quick 44/240 seconds. It might also possible to boot from a host directory. In combination with btrfs could be a good choice.

  • Missing features virt-install do not have necessary support to create VM with right options such as NUMA settings, big memory libvirtd.
  • Systemd mount services seems to miss support.
  • virtio-fs can also be root fs. Then boot the KVM from kernel(vmlinuz) the host.

Requirement: Fedora 33 - libvirt 6.2, qemu 5.0, kernel 5.4

KVM/QEMU + vsock NFS to replace 9pfs

KVM support for vsock and nfs support could have a better performance than 9pfs. This work could be interesting to libreswan KVM testing. It started in 2015. Slowly picking up, as 2018 it seems AWS and firecracker is pushing it. We are almost there.

Linux Kernel developments

XFRM Offload : starting 4.14

 * NAT support ??? 
 * What if the interface is a member of bridge? can libreswan/strongswan configure SA correctly? bridge
 * what if the packets arrive on different interface would that get decrypted correctly?
 * Bonded NIC card

XFRM and XDP

 * idea presentation Steffen Klassert Linux Netconf, Boston, June, 2019

Linux Per CPU efforts

Userspace IPsec Stacks

Over last few years specialized user space IPSec(ESP) stacks and IKE implementations are becoming popular.

VPP + DPDK (Userspace ESP + IKE)

VPP has its own IKEv2 and ESP implimentation.

Snabb ESP userspace stack

Snabb as of 2020 has ESP. No IKE, it can easily use of the shelf IKE say strongswan for IKE and and few command line calls to install snabb esp Snabb FOSDEM 2020 snabb ipsec podcast Strongswan inegeration

OVS

http://docs.openvswitch.org/en/latest/tutorials/ipsec/

iptable rule to drop IKEv2 message id X

https://unix.stackexchange.com/questions/321252/drop-a-packet-depending-on-its-options-or-type

# drop ike message ID 6
iptables -A INPUT -m u32 --u32 '0x6 & 0xFF = 0x11 && 0x30 & 0xFFFFFFFF = 0x4' -j DROP

Hardware offload

XFRM offload

  • Mellonax Innova or ConnectX 6DX
  • Intel

Intel QAT

https://www.servethehome.com/intel-quickassist-at-40gbe-speeds-ipsec-vpn-testing/

Intel AES NI

Historic OCF

Back in the 90 there was alo

RSS/RPS/RFS

Interesting Linux referecncs

Linux packet path

https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg