Re: VRFs and the scalability of namespaces

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ben Greear <greearb@candelatech.com>
To: David Ahern <dsahern@gmail.com>
Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	nicolas.dichtel@6wind.com, netdev@vger.kernel.org
Subject: Re: VRFs and the scalability of namespaces
Date: Mon, 29 Sep 2014 09:40:06 -0700	[thread overview]
Message-ID: <54298B66.8060807@candelatech.com> (raw)
In-Reply-To: <54295971.2040402@gmail.com>

On 09/29/2014 06:06 AM, David Ahern wrote:

> The features of note:
> - resource efficiency -- not having to create a proces/thread/socket per VRF to have a "presence" in all VRFs. e.g., a VRF any context that allows 1 socket to
> work across VRFs (L3 raw socket, TCP listen socket, unconnected UDP socket). Daemons run a 'vrf any' context; connected clients run a specific vrf context. For
> non-connected sockets VRF context can be passed via cmsg.
> 
> - same IP address on different interfaces in different vrfs. i.e., VRF specific routing and neighbor tables
> 
> - cross VRF routing. ability to receive message on 1 vrf and send it on another. Can be handled by the process itself (e.g., L3 vpns).

We have implemented support for at least most of this (excepting duplicate IPs)
using routing tables, rules, and (optionally, xorp as the router).

It works ok for our purposes (network simulator), but peformance is not great because
you end up with a large number of ip rules and they are effectively evaluated linearly
it seems.

A quick way to improve performance in our scenario would be to bind rules to
specific interfaces, so that packets process a smaller number of rules when
they enter an interface, I think...but I have not looked into it closely.

It is hard to show you an example of this without you installing our
software to visualize what we are trying to do, but it our software
will work on standard kernels, and we auto-generate a perl script
that sets up all of the rules and such.  You could compare the network
diagram in our GUI with the perl script and I think understand the
basics of what we are doing fairly quickly.  If you want to take a detailed
look, let me know and I'll set you up with a demo license.

Thanks,
Ben

> 
> Thanks,
> David
> -- 
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

-- 
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc  http://www.candelatech.com

next prev parent reply	other threads:[~2014-09-29 16:45 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-09-26 22:37 VRFs and the scalability of namespaces David Ahern
2014-09-26 23:52 ` Stephen Hemminger
2014-09-27  0:00   ` David Ahern
2014-09-27  1:25 ` Eric W. Biederman
2014-09-29 12:34   ` David Ahern
2014-09-27 13:29 ` Hannes Frederic Sowa
2014-09-27 14:09   ` Hannes Frederic Sowa
2014-09-29 13:06   ` David Ahern
2014-09-29 16:40     ` Ben Greear [this message]
2014-09-29 16:50       ` Sowmini Varadhan
2014-09-29 17:00         ` Ben Greear
2014-09-29 23:43           ` David Ahern
2014-09-29 23:50             ` Hannes Frederic Sowa
2014-09-30  1:15               ` Ben Greear
2014-09-29 18:05 ` Cong Wang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=54298B66.8060807@candelatech.com \
    --to=greearb@candelatech.com \
    --cc=dsahern@gmail.com \
    --cc=ebiederm@xmission.com \
    --cc=hannes@stressinduktion.org \
    --cc=netdev@vger.kernel.org \
    --cc=nicolas.dichtel@6wind.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.