tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Thinking about "branes" for netbsd...



Dennis Ferguson wrote:
On 4 May, 2012, at 01:43 , David Young wrote:
The general idea is to have more than one forwarding domain per router.
Belonging to each forwarding domain are the routes for that domain and
some interfaces.  Each route/interface can belong to just one domain.

Okay, but maybe I can reword what I understand this to say in terms that
(to me) more clearly describe mechanism.  It would be possible to configure more
than one route table for a protocol, with routes being added to, changed
deleted from each table independently.  This actually requires replication
of several address-bearing structures in addition to the route table (e.g.
tables for PCB lookups), so let me call this group of structures a "routing
instance".

The basic configurables around this are that each interface (or "interface",
for some logical definition of this) in the machine running this network
protocol needs to be told which of these tables it should use to route
incoming packets, with the interface routes generated as a side effect
of address configuration on that interface being stored in the same table.
In addition, each open socket needs to be configured (or somehow come to
understand) which table it should use to route outbound packets and
which "routing instance" its socket binding should be stored in.  The
collection of a routing instance, the interfaces configured to forward
packets through and install routes in that routing instance and the
sockets which are using the instance are what I think you are calling
a "domain".  Beyond this, what each of these routing instances does that
is "special" is defined by the routes installed in each table, and perhaps
the filters operating around the table.

Roughly speaking, more or less yes.

Packets cannot cross from one forwarding domain to another except by
going through an interface.

And this is a place where I stumble.  If you want to implement a
policy which prevents packets from crossing from one domain to another
except by going through an interface (and if I understand what that
means), why is it not sufficient that you can configure each of these
tables with routes which only route packets from one domain to the other
via an interface?  Why is it necessary to go the extra step and prohibit
someone else from installing a route in one table with a next hop which
directly routes out an interface whose inbound packets are forwarded via
another table (i.e. an interface in another domain), if that is what is
required for that someone else to get their work done?

To allow cross references between data structures from one brane to
another or cross talk where packets can move from one brane to another
would be a very dirty implementation. The goal of branes is to support
network virtualisation. One aspect of network virtualisation is the
ability for the kernel to support multiple routing tables as a result.

In terms of implementation, can you imagine the locking hell that would
result if it you tried to directly join both of those domains because
one wanted to use the resources of another?

Darren



Home | Main Index | Thread Index | Old Index