AAScratch: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
Antony's unsorted pages I want access quickly | Antony's unsorted pages that I want to access quickly. These are mostly related to IPsec/libreswan and when I think I know this page exist but where is it. | ||
*[[XFRM pCPU]] | *[[XFRM pCPU]] | ||
| Line 12: | Line 12: | ||
*[https://arstechnica.com/gadgets/2019/12/wireguard-vpn-is-a-step-closer-to-mainstream-adoption/ Wiregaurd BenchMark] | *[https://arstechnica.com/gadgets/2019/12/wireguard-vpn-is-a-step-closer-to-mainstream-adoption/ Wiregaurd BenchMark] | ||
== virtiofs replace 9pfs: libvirt 6.2, qemu 5.0, kernel 5.4 == | == KVM/QEMU virtiofs to replace 9pfs: libvirt 6.2, qemu 5.0, kernel 5.4 == | ||
* [https://libvirt.org/news.html libvirt 6.2] Fedora 33? Did not make to Fedora 32. [https://src.fedoraproject.org/rpms/libvirt F33?] | * [https://libvirt.org/news.html libvirt 6.2] Fedora 33? Did not make to Fedora 32. [https://src.fedoraproject.org/rpms/libvirt F33?] | ||
* [https://bugzilla.redhat.com/show_bug.cgi?id=1694166 RH BZ libvirtd merge] tracking the request | * [https://bugzilla.redhat.com/show_bug.cgi?id=1694166 RH BZ libvirtd merge] tracking the request | ||
| Line 20: | Line 19: | ||
* [https://marc.info/?l=linux-kernel&m=154446243024251&w=2 virtiofs RFC patches] | * [https://marc.info/?l=linux-kernel&m=154446243024251&w=2 virtiofs RFC patches] | ||
== KVM/QEMU + vsock to replace 9pfs == | == KVM/QEMU + vsock NFS to replace 9pfs == | ||
KVM support for vsock and nfs support could have a better performance than 9pfs. | KVM support for vsock and nfs support could have a better performance than 9pfs. | ||
This work could be interesting to libreswan KVM testing. It started in 2015. Slowly picking up, as 2018 it seems AWS and firecracker is pushing it. We are almost there. | This work could be interesting to libreswan KVM testing. It started in 2015. Slowly picking up, as 2018 it seems AWS and firecracker is pushing it. We are almost there. | ||
* 2015 [https://lwn.net/Articles/647516/ LWN virtio] | * 2015 [https://lwn.net/Articles/647516/ LWN virtio] | ||
| Line 29: | Line 27: | ||
* XFRM Offload : starting 4.14 | * XFRM Offload : starting 4.14 | ||
* NAT support ??? | * NAT support ??? | ||
* What if the interface is a bridge? can libreswan/strongswan configure SA correctly? [https://wiki.strongswan.org/issues/3454 bridge] | * What if the interface is a member of bridge? can libreswan/strongswan configure SA correctly? [https://wiki.strongswan.org/issues/3454 bridge] | ||
* what if the packets arrive on different interface would that get decrypted correctly? | * what if the packets arrive on different interface would that get decrypted correctly? | ||
* Bonded NIC card | |||
* XFRM and XDP | * XFRM and XDP | ||
* idea presentation [http://vger.kernel.org/netconf2019_files/xfrm_xdp.pdf Steffen Klassert] Linux Netconf, Boston, June, 2019 | * idea presentation [http://vger.kernel.org/netconf2019_files/xfrm_xdp.pdf Steffen Klassert] Linux Netconf, Boston, June, 2019 | ||
| Line 51: | Line 50: | ||
=== OVS === | === OVS === | ||
http://docs.openvswitch.org/en/latest/tutorials/ipsec/ | http://docs.openvswitch.org/en/latest/tutorials/ipsec/ | ||
| Line 68: | Line 66: | ||
=== Intel QAT === | === Intel QAT === | ||
=== Intel AES NI === | === Intel AES NI === | ||
=== Historic OCF === | === Historic OCF === | ||
==== Linux packet path | = Interesting Linux referecncs = | ||
== Linux packet path == | |||
https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg | https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg | ||
Revision as of 09:01, 14 October 2020
Antony's unsorted pages that I want to access quickly. These are mostly related to IPsec/libreswan and when I think I know this page exist but where is it.
- XFRM pCPU
- XFRMi Development Notes 2018-2019
- Namespace Magic, 2019
- IKEv2 State names proposal 2016 - 2019
- Cloud Opportunistic Encryption(OE)
- Linux Kernel Support related to libreswan
KVM/QEMU virtiofs to replace 9pfs: libvirt 6.2, qemu 5.0, kernel 5.4
- libvirt 6.2 Fedora 33? Did not make to Fedora 32. F33?
- RH BZ libvirtd merge tracking the request
- QEMU 5.0 added support for virtiofsd. F33??
- virtio-fs Mainline kernel 5.4
- virtiofs RFC patches
KVM/QEMU + vsock NFS to replace 9pfs
KVM support for vsock and nfs support could have a better performance than 9pfs. This work could be interesting to libreswan KVM testing. It started in 2015. Slowly picking up, as 2018 it seems AWS and firecracker is pushing it. We are almost there.
- 2015 LWN virtio
Linux Kernel developments
- XFRM Offload : starting 4.14
* NAT support ??? * What if the interface is a member of bridge? can libreswan/strongswan configure SA correctly? bridge * what if the packets arrive on different interface would that get decrypted correctly? * Bonded NIC card
- XFRM and XDP
* idea presentation Steffen Klassert Linux Netconf, Boston, June, 2019
- XFRM pCPU prototype experimental
Userspace IPsec Stacks
Over last few years specialized user space IPSec(ESP) stacks and IKE implementations are becoming popular.
VPP + DPDK (Userspace ESP + IKE)
VPP has its own IKEv2 and ESP implimentation.
Snabb ESP userspace stack
Snabb as of 2020 has ESP. No IKE, it can easily use of the shelf IKE say strongswan for IKE and and few command line calls to installl snabb esp Snabb FOSDEM 2020 snabb ipsec podcast Strongswan inegeration
OVS
http://docs.openvswitch.org/en/latest/tutorials/ipsec/
iptable rule to drop IKEv2 message id X
https://unix.stackexchange.com/questions/321252/drop-a-packet-depending-on-its-options-or-type
# drop ike message ID 6 iptables -A INPUT -m u32 --u32 '0x6 & 0xFF = 0x11 && 0x30 & 0xFFFFFFFF = 0x4' -j DROP
Hardware offload
XFRM offload
- Mellonax Innova or ConnectX 6DX
- Intel
Intel QAT
Intel AES NI
Historic OCF
Interesting Linux referecncs
Linux packet path
https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
