AAScratch: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 12: | Line 12: | ||
*[https://arstechnica.com/gadgets/2019/12/wireguard-vpn-is-a-step-closer-to-mainstream-adoption/ Wiregaurd BenchMark] | *[https://arstechnica.com/gadgets/2019/12/wireguard-vpn-is-a-step-closer-to-mainstream-adoption/ Wiregaurd BenchMark] | ||
= KVM/QEMU = | |||
== KVM/QEMU virtiofs to replace 9pfs: libvirt 6.2, qemu 5.0, kernel 5.4 == | == KVM/QEMU virtiofs to replace 9pfs: libvirt 6.2, qemu 5.0, kernel 5.4 == | ||
* [https://libvirt.org/news.html libvirt 6.2] Fedora 33? Did not make to Fedora 32. [https://src.fedoraproject.org/rpms/libvirt F33?] | * [https://libvirt.org/news.html libvirt 6.2] Fedora 33? Did not make to Fedora 32. [https://src.fedoraproject.org/rpms/libvirt F33?] | ||
| Line 24: | Line 25: | ||
* 2015 [https://lwn.net/Articles/647516/ LWN virtio] | * 2015 [https://lwn.net/Articles/647516/ LWN virtio] | ||
= Linux Kernel developments = | |||
== XFRM Offload : starting 4.14 == | |||
* NAT support ??? | * NAT support ??? | ||
* What if the interface is a member of bridge? can libreswan/strongswan configure SA correctly? [https://wiki.strongswan.org/issues/3454 bridge] | * What if the interface is a member of bridge? can libreswan/strongswan configure SA correctly? [https://wiki.strongswan.org/issues/3454 bridge] | ||
* what if the packets arrive on different interface would that get decrypted correctly? | * what if the packets arrive on different interface would that get decrypted correctly? | ||
* Bonded NIC card | * Bonded NIC card | ||
== XFRM and XDP == | |||
* idea presentation [http://vger.kernel.org/netconf2019_files/xfrm_xdp.pdf Steffen Klassert] Linux Netconf, Boston, June, 2019 | * idea presentation [http://vger.kernel.org/netconf2019_files/xfrm_xdp.pdf Steffen Klassert] Linux Netconf, Boston, June, 2019 | ||
* XFRM pCPU prototype [https://libreswan.org/wiki/XFRM_pCPU experimental] | == Per CPU effoorts == | ||
* XFRM pCPU prototype [https://libreswan.org/wiki/XFRM_pCPU experimental]== | |||
= Userspace IPsec Stacks = | |||
Over last few years specialized user space IPSec(ESP) stacks and IKE implementations are becoming popular. | Over last few years specialized user space IPSec(ESP) stacks and IKE implementations are becoming popular. | ||
== VPP + DPDK (Userspace ESP + IKE) == | |||
VPP has its own IKEv2 and ESP implimentation. | VPP has its own IKEv2 and ESP implimentation. | ||
| Line 43: | Line 45: | ||
* [https://archive.fosdem.org/2019/schedule/event/userspace_network_stacks User-space Network Stacks (DPDK and friends)] 2019 | * [https://archive.fosdem.org/2019/schedule/event/userspace_network_stacks User-space Network Stacks (DPDK and friends)] 2019 | ||
== Snabb ESP userspace stack == | |||
Snabb as of 2020 has ESP. No IKE, it can easily use of the shelf IKE say strongswan for IKE and and few command line calls to installl snabb esp | Snabb as of 2020 has ESP. No IKE, it can easily use of the shelf IKE say strongswan for IKE and and few command line calls to installl snabb esp | ||
[https://fosdem.org/2020/schedule/event/vita_high_speed_traffic_encryption_on_x86_64/ Snabb FOSDEM 2020] | [https://fosdem.org/2020/schedule/event/vita_high_speed_traffic_encryption_on_x86_64/ Snabb FOSDEM 2020] | ||
| Line 49: | Line 51: | ||
[https://github.com/inters/vita/issues/68 Strongswan inegeration] | [https://github.com/inters/vita/issues/68 Strongswan inegeration] | ||
== OVS == | |||
http://docs.openvswitch.org/en/latest/tutorials/ipsec/ | http://docs.openvswitch.org/en/latest/tutorials/ipsec/ | ||
= iptable rule to drop IKEv2 message id X = | |||
https://unix.stackexchange.com/questions/321252/drop-a-packet-depending-on-its-options-or-type | https://unix.stackexchange.com/questions/321252/drop-a-packet-depending-on-its-options-or-type | ||
| Line 60: | Line 62: | ||
</pre> | </pre> | ||
= Hardware offload = | |||
== XFRM offload == | |||
* Mellonax Innova or ConnectX 6DX | * Mellonax Innova or ConnectX 6DX | ||
* Intel | * Intel | ||
== Intel QAT == | |||
https://www.servethehome.com/intel-quickassist-at-40gbe-speeds-ipsec-vpn-testing/ | |||
=== Intel AES NI === | === Intel AES NI === | ||
=== Historic OCF === | === Historic OCF === | ||
= RSS/RPS/RFS= | |||
* [https://garycplin.blogspot.com/2017/06/linux-network-scaling-receives-packets.html RPS] | |||
= Interesting Linux referecncs = | = Interesting Linux referecncs = | ||
== Linux packet path == | == Linux packet path == | ||
https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg | https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg | ||
Revision as of 10:06, 14 October 2020
Antony's unsorted pages that I want to access quickly. These are mostly related to IPsec/libreswan and when I think I know this page exist but where is it.
- XFRM pCPU
- XFRMi Development Notes 2018-2019
- Namespace Magic, 2019
- IKEv2 State names proposal 2016 - 2019
- Cloud Opportunistic Encryption(OE)
- Linux Kernel Support related to libreswan
KVM/QEMU
KVM/QEMU virtiofs to replace 9pfs: libvirt 6.2, qemu 5.0, kernel 5.4
- libvirt 6.2 Fedora 33? Did not make to Fedora 32. F33?
- RH BZ libvirtd merge tracking the request
- QEMU 5.0 added support for virtiofsd. F33??
- virtio-fs Mainline kernel 5.4
- virtiofs RFC patches
KVM/QEMU + vsock NFS to replace 9pfs
KVM support for vsock and nfs support could have a better performance than 9pfs. This work could be interesting to libreswan KVM testing. It started in 2015. Slowly picking up, as 2018 it seems AWS and firecracker is pushing it. We are almost there.
- 2015 LWN virtio
Linux Kernel developments
XFRM Offload : starting 4.14
* NAT support ??? * What if the interface is a member of bridge? can libreswan/strongswan configure SA correctly? bridge * what if the packets arrive on different interface would that get decrypted correctly? * Bonded NIC card
XFRM and XDP
* idea presentation Steffen Klassert Linux Netconf, Boston, June, 2019
Per CPU effoorts
- XFRM pCPU prototype experimental==
Userspace IPsec Stacks
Over last few years specialized user space IPSec(ESP) stacks and IKE implementations are becoming popular.
VPP + DPDK (Userspace ESP + IKE)
VPP has its own IKEv2 and ESP implimentation.
Snabb ESP userspace stack
Snabb as of 2020 has ESP. No IKE, it can easily use of the shelf IKE say strongswan for IKE and and few command line calls to installl snabb esp Snabb FOSDEM 2020 snabb ipsec podcast Strongswan inegeration
OVS
http://docs.openvswitch.org/en/latest/tutorials/ipsec/
iptable rule to drop IKEv2 message id X
https://unix.stackexchange.com/questions/321252/drop-a-packet-depending-on-its-options-or-type
# drop ike message ID 6 iptables -A INPUT -m u32 --u32 '0x6 & 0xFF = 0x11 && 0x30 & 0xFFFFFFFF = 0x4' -j DROP
Hardware offload
XFRM offload
- Mellonax Innova or ConnectX 6DX
- Intel
Intel QAT
https://www.servethehome.com/intel-quickassist-at-40gbe-speeds-ipsec-vpn-testing/
Intel AES NI
Historic OCF
RSS/RPS/RFS
Interesting Linux referecncs
Linux packet path
https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
