James Carlson wrote: > ... > djr-02 Given djr-01 and the integration of crossbow to provide MAC > layer > classification and resource controls, is it possible to leverage > crossbow to protect the system from abuse refered to in (1)(a)? > If not immediately, is there scope for this as a future project? > > Reply: Crossbow currently identifies flows in MAC clients, such as > VNICs. It doesn't work down at the IEEE 802.1 level where > bridging takes place.
So it isn't possible to use Crossbow's interfaces to put STP packets into a separate rx/tx ring pair or to otherwise use crossbow to partition rx/tx rings up for preferential treatment of specific ethernet addresses on either side of a bridge? And thus if we can do that, then it seems to me like we should be able to specify what sort of bandwidth allocation/guarantees those rings get... Or is this RFE material? > djr-03 From bridge-spec.txt, (2.1), the requirement to use individual > network links to observe packets being sent does not fit with > what I would expect as a user. Needing to sniff the individual > network connections seems somewhat onerous (a snoop per link > in the bridge is required) and presupposes that the "user" knows > which interface they need to look on for the packet(s) they're > trying to observe. > > Reply: You can snoop either individual links (if you want to see > what's going on with that link) or using the special bridge > observability node described in the section you reference. > The latter provides a copy of *all* traffic transiting the > bridge and doesn't require you to snoop individual links. You > see everything. > > On Solaris today, you already *do* have to pick a link on > which you want to snoop, so there's no change in that respect. > We're adding observability, not taking any away. The distinction I'm keen to make is observing received packets vs sent packets. This is the paragraph that I'm referring to: "To see the packets transmitted and received on a particular link (after the bridging process is complete), snoop on the individual links rather than the bridge observability node." What I'm not sure about is whether "handled by the bridge" in the other paragraphs in this section refers to packets that are both sent and received, just received, or something else. This, in concert with promiscuous mode being required with snoop to get sent packets with DLPI, has me asking for this to be more clear, especially considering this sentence: "The packets delivered will represent the data received by the bridge." I think this section needs to make it clear whether snoop or the observability devices will present: 1) traffic that is received by the bridge 2) traffic that is transmitted by the bridge (both STP + data) 3) traffic that is accepted/forwarded by the bridge i.e. if I'm snoop'ing bridge0 and a packet comes in bge0 and the bridge sends it out bge1, will I see it once with snoop or twice or...? Darren
