OPTE as the name implies is an Engine. It does what you say but more can
be implemented with it depending on your p4 rules and scheme. Same way
as IPF has a filter rule engine. OPTE has a tranformation engine. I
think The Scheme you mentioned is the Microsoft VPC paper they
implemented inside OPTE. Somebody from Oxide would need to chip in with
the details on how well researches this is though :)
As to performance XDP is also in the Oxide trees which may be
independant from opte but I haven't managed to look into it's details.
-Till
On 30.09.24 20:52, d wrote:
(oops, my system doesn't respond correctly to list messages)
From what I've learned, Oxide's OPTE system isn't really a replacement
for ipf, although it could provide incredible features and benefits, or
some of the internals may apply.
If I'm understanding Oxide's system correctly, OPTE lets Oxide's bespoke
Intel Tofino hardware, or a software emulator encapsulate all traffic
destined for a machine in a ipv6 packet. They then route the packet in
their network using ipv6 routing which seems to provide extremely
efficient routing, or re-directing if necessary when a vm migrates.
I'm a little cloudy on this, but they may have developed a firewall
scheme that will share any firewall processing beyond what the Intel
Tofino can handle between many machines rather than having the
destination machine need to handle all of it.
Finally, the packets that make it through the firewall arrive at an OPTE
thread on each vm, where the packet escapes its encapsulation, and is
passed to the system/vm.
The best overview I could quickly find detailing their networking scheme
is here:
https://rfd.shared.oxide.computer/rfd/0021
------------------------------------------
illumos: illumos-discuss
Permalink:
https://illumos.topicbox.com/groups/discuss/T0a8179388427922c-Mbef56ab3ea8aabf5e3a497c4
Delivery options: https://illumos.topicbox.com/groups/discuss/subscription
