How does one measure the reliability and security of current software TCP/IP
stacks? Some standard set of test would have to be identified and the TOEs
would need to be tested against this to ensure that they meet some minimum
standard. I would suggest offloading the minimum amount from the OS so that
most of the control could be maintaind by the OS stack. This also would
make failover/routing changes between TOE -TOE, and TOE-NIC easier. Current
offloads such as checksum and segmentation will not be enough for 10GbE
processing, so it would have to be something more than we have today.
David
>From: Jeff Garzik <[email protected]>
>To: David griego <[email protected]>
>CC: [email protected], [email protected]
>Subject: Re: Alan Shih: "TCP IP Offloading Interface"
>Date: Mon, 14 Jul 2003 15:02:35 -0400
>
>David griego wrote:
>>IMHO, there are several cases for some type of TCP/IP offload. One is for
>>embedded systems that are just not capable of doing 1Gbps+. Another is
>>with 10GbE, even high end servers will not be able keep up with TCP
>>processing/data movement at these speeds. Not being proactive in adopting
>>TCP/IP offload will force Linux into accepting some scheme that will not
>>necissarily be best.
>
>
>How does one evaluate a TOE stack to be sure that all the security fixes in
>Linux are also in that stack?
>
>How does one evaluate a TOE stack to be sure it doesn't add new security
>holes that Linux never had?
>
> Jeff
>
>
>
_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
http://join.msn.com/?page=features/virus
David griego wrote:
> How does one measure the reliability and security of current software
> TCP/IP stacks? Some standard set of test would have to be identified
> and the TOEs would need to be tested against this to ensure that they
> meet some minimum standard. I would suggest offloading the minimum
> amount from the OS so that most of the control could be maintaind by the
> OS stack. This also would make failover/routing changes between TOE
> -TOE, and TOE-NIC easier.
Anything beyond basic host-only TOE adds massive complexity for very
little gain: interfacing netfilter and routing code with a black box we
_hope_ will act properly sounds like suicide.
> Current offloads such as checksum and
> segmentation will not be enough for 10GbE processing, so it would have
> to be something more than we have today.
All this is vague handwaving without supporting evidence. So far we get
stuff like Internet2 speed records _without_ TOE. And Linux currently
supports 10gige... and hosts are just going to keep getting faster and
faster.
Jeff
On Llu, 2003-07-14 at 20:14, David griego wrote:
> How does one measure the reliability and security of current software TCP/IP
> stacks?
You stick them on irc servers, porn sites and unpopular news sites and
wait. Alternatively you can use the fact you have the source to do
formal verifications on them looking for everything from bugs to NSA
backdoors to the IPSEC. People have been doing both.
On Monday 14 July 2003 14:26, Jeff Garzik wrote:
> David griego wrote:
> > How does one measure the reliability and security of current software
> > TCP/IP stacks? Some standard set of test would have to be identified
> > and the TOEs would need to be tested against this to ensure that they
> > meet some minimum standard. I would suggest offloading the minimum
> > amount from the OS so that most of the control could be maintaind by the
> > OS stack. This also would make failover/routing changes between TOE
> > -TOE, and TOE-NIC easier.
>
> Anything beyond basic host-only TOE adds massive complexity for very
> little gain: interfacing netfilter and routing code with a black box we
> _hope_ will act properly sounds like suicide.
>
> > Current offloads such as checksum and
> >
> > segmentation will not be enough for 10GbE processing, so it would have
> > to be something more than we have today.
>
> All this is vague handwaving without supporting evidence. So far we get
> stuff like Internet2 speed records _without_ TOE. And Linux currently
> supports 10gige... and hosts are just going to keep getting faster and
> faster.
>
> Jeff
Not to mention the problems IPSec would have with such a device.