Linux Bridging: Teaching an old dog new tricks

4,268 views

Published on

Overview of upcoming features in Linux bridge

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,268
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
58
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Linux Bridging: Teaching an old dog new tricks

  1. 1. Linux BridgingTeaching an Old Dog New Tricks Stephen Hemminger shemminger@vyatta.com
  2. 2. Topics● Background● Tunneling● Security● Status
  3. 3. Bridge History 1985 1990 1998 2000 2001 2004 2005 2012Ethernet IEEE IEEE IEEE RSTPBridging 802.1d 802.1d 802.1d MSTP SPBInvented 1998 2004 802.1s 802.1aq Linux IGMP Bridge Snooping
  4. 4. Bridge Forwarding FloodMulticast? Destination? Output IGMP table Forwarding Table
  5. 5. Spanning Tree Protocol Root Leaf BPDU BPD Disabled U Edge
  6. 6. Tunnels VXLAN1 VXLAN2Bridge1 Bridge2 Bridge1 Bridge2Guest Guest Guest Guest A B C D
  7. 7. Cloud Tunneling Protocols● VxLan – Arista, Broadcom, Cisco, Vmware, Red Hat● NVGRE – Microsoft, Intel, Dell, Broadcom, Emulex● STT – Niciria
  8. 8. API flavors● Ioctl – Compatibility – non-extensible● Sysfs – Text based● Netlink – Notifications – TLV format
  9. 9. Hw offload● Common netlink API – Forwarding table – monitoring
  10. 10. Security● BPDU guard● BPDU filter● Root port protect● Port locking
  11. 11. STP Security Issues Bridge (core) Bridge (core) Bridge (edge) Guest VM
  12. 12. BPDU Filter Core Bridge BPDU blocked Not sent or received BPDU Untrusted Host
  13. 13. BPDU Guard Core Bridge Rogue BPDU! Link disabled BPDU BPDU Untrusted Host/Bridge
  14. 14. Root Port Protect BPDU Core Bridge Allowed if Priority < Root BPDU BPDU Semi-trusted Host/Bridge
  15. 15. Port lock Source AddressCore Bridge Must matchUntrustedGuest
  16. 16. Spanning Tree● Current – Kernel – 802.1d 1998 – Userspace – RSTP daemon● Goal – Kernel – 802.1d/802.1s – Userspace – SPB or TRILL?
  17. 17. Status● VXLAN – 3.7● Security – 3.8?● STP update – 3.9??
  18. 18. Bridge vs OpenvswitchEthernet Bridge Openvswitch – Plug and Play – Table driven – Firewall rules – Flexible – Integrated – Management agent
  19. 19. Thank you

×