At 18:43 12-12-02 -0200, Gustavo Niemeyer wrote:
One of our customers claims that some guy at the local IBM office told him that he would get additional security benefits if he routed packets through the TCPIP machine, instead of connecting the virtual Linux machine directly to the OSA channel.
If you're talking about OSA with QDIO, then I think there are situations where you want to have a virtual router rather than direct access to the OSA device. The IP address assignment is done with the qeth driver, so anyone with root on that Linux could assign any IP address (or VIPA address) they like. With the older OSA devices through the lcs driver you can have addresses assigned with OSA/SF. Being unable to fix the IP address may be a problem if you want to give root access to your customers. This is not worse than with PC Ethernet cards, but each card would have its own wire and they could plug into some equipment that fixes the IP address. In the case of OSA adapters your Linux images share the same 'wire' so you have no option to do things in a switch. If you use a virtual router to own the OSA (either Linux or VM TCP/IP) you connect your Linux guests through IUCV so that they can not tamper with the device. Because a Linux virtual router basically is a system that can do much more than what you want it to do, you may need to be careful to close all doors and windows. The VM TCP/IP stack does not need a 'login' to configure it, so it may be easier to restrict access to it.
There is a limit to the number systems that can share an OSA Express device, and if you have fairly idle servers you may reach that number before you saturate the Gigabit Ethernet port. QDIO devices get more efficient at higher bandwidth (because buffers get filled better and less handshaking is done). This works out both in CPU time and memory usage. Depending on the shape of network traffic, the savings may be more than the cost of the virtual router. Rob
