tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Thinking about "branes" for netbsd...

On Thu, May 03, 2012 at 12:23:36PM -0400, Mouse wrote:
> >>> [...] "processes get chroot'd into branes" [...]
> >> I'm not even sure what it could mean, [...].  Perhaps something is
> >> being extended metaphorically, but it's unclear to me what or how
> >> that could be.
> > "Give processes a different view to the network than 'the rest of the
> > machine' has" - not that different to "give processes a different
> > view to the file system", no?
> Yeah, but that involves (or, at least, I would expect that to involve)
> more than just the routing table.  Or do branes cover more than just
> routing?

Matt Thomas describes branes here,

I should say, before I launch into my own explanation, that I have a
particular understanding of "branes" that may be different from Matt's
and others'.

The general idea is to have more than one forwarding domain per router.
Belonging to each forwarding domain are the routes for that domain and
some interfaces.  Each route/interface can belong to just one domain.
Packets cannot cross from one forwarding domain to another except by
going through an interface.  We can imagine a virtual interface that has
two "ends," each end in a different forwarding domain, for shuttling
packets from domain to domain.  More commonly we will have a hardware
interface that attaches a NetBSD router's forwarding domain to the
forwarding domain of a router/switch that's connected with an ethernet

ISTM that it will be useful sometimes for a tunnel interface to straddle
two domains, sending/receiving encapsulated packets on one domain and
sending/receiving decap'd packets on the other.

A forwarding domain at layer 2 is commonly called a VLAN.  We ought to
replace bridge(4) with ethernet forwarding domains.

ISTM that a process may have (or may not) several privileges that
pertain to forwarding domains.  It may have a create/destroy-domain
privilege.  It may have privileges on more than one domain for the
purpose of examining/setting both routes and interface configuration.
It will have privileges to socket()/bind()/connect()/send()/recv() on
zero or more domains, and one domain (ordinarily the 0th domain) will be
its default domain.


David Young    Urbana, IL    (217) 721-9981

Home | Main Index | Thread Index | Old Index