Network stack cloning / virtualization patches
zec at tel.fer.hr
Mon May 26 09:45:12 PDT 2003
Vincent Jardin wrote:
> Since the last EuroBSD 2002 conference, there are 2 architectures to support
> VPNs with FreeBSD : your patch and the Riccardo Scandariato one
> (http://softeng.polito.it/freebsd/) that is very good too.
> From a VPN point of view, how could both projects be compared ?
> Do you think that both projects could be merged or are there too much
> differences between your two projects ?
Riccardo's VPN patches were designed specifically for supporting VPNs by
basically virtualizing only the IP routing tables. The network stack cloning
model is more generic, as it doesn't stop at the virtualization of the routing
tables, but rather also provides multiple independent network interface lists,
inbound queues, hash & PCB tables, IPFW rulesets, sysctl tunables, traffic
counters / statistics etc. But the basic implementation idea and the motivation
is quite similar for both frameworks, and they can both support IP-tunnel based
overlay VPNs with overlapping addresing spaces.
>From the userland API perspective the two approaches are slightly different.
Riccardo's patches extended the socket API, so that the applications which
require to operate on virtualized routing tables have also to be modified and
recompiled. My model provides a single management utility which can be used to
spawn new processes bound to a specific network stack instance. Once the
processes are assigned to a network stack, all existing userland applications
and utilities can operate on that stack without any modifications. Although the
described two approaches might seem to follow fundamentally different ideas, IMO
both frameworks could be easily modified to adopt the userland API convention of
the other, if necessary.
More information about the freebsd-net