zhengda wrote:
Hi,
Here are my current problems:
1. How many pfinet servers are allowed to connect to one hypervisor?
If only one pfinet server is allowed to connect to one hypervisor,
hypervisors must communicate with each other to route packets sent
by pfinet servers.
If several pfinet servers are allowed to connect to the same
hypervisor, a hypervisor can route packets inside itself. If so,
does the hypervisor only route the packet among pfinet servers
that connect to the hypervisor?
If several pfinet servers are allowed to connect to the same
hypervisor, it's better for the hypervisor to create multiple
virtual network interfaces and each pfinet server can attach to
one interface. Maybe it can help to route packets among pfinet
servers.
2. Who can run the hypervisor and who can create the network interface?
The hypervisor should be able to access the real network
interface. I think only the priviledged user can run it.
Who can create the network interface depends on Problem 1.
3. How does the routing work?
it can always work if the packet is broadcasted to any pfinet
servers that connect to the hypervisor. then pfinet servers can
filter packets in the IP layer.
but it cannot give a good performance and there may be a security
problem: every user can see others' packets.
If no broadcasting, it's really difficult to do the routing.
The main reason is that IP isn't bound to the network interface
directly, and it's set in the pfinet server.
The hypervisor has no way to know which pfinet server has which IP
unless another function is provided for the pfinet to tell the
hypervisor what is its current IP.
4. How does the hypervisor guard the network traffic and filter
illegal packets?
It will be much work if the hypervisor understands all packets.
Best,
Zheng Da
Hi,
I'm thinking about the packet routing in the hypervisor.
I suppose a hypervisor can have several virtual network interface at the
same time.
1. One solution is that the hypervisor broadcasts a packet to every
pfinet server, as I said before.
2. The hypervisor can always track which packet is from which virtual
network interface.
and a table can be built to record which interface has what IP.
It sends a packet to the interface who owns the destination IP.
The first solution can be seen as a hub, and the second one as a switch.
I don't like the second one. It's too complex, and there is no reason to
make the hypervisor so complex.
An acceptable solution (at least for me) can be:
when a virtual network interface is created, a network address must be
bound with it,
so the hypervisor can know where to send the packet.
We can think the network address tells the network that the interface
connects to.
The user should also tell the hypervisor what is the network address of
the external network,
so the hypervisor can know when to send the packet to the external network.
It's reasonable to do that because the real network interface also
connects to the network with a fixed network address.
We can suppose that the interfaces bound with the same network address
are in the same sub-net.
Anyway, my current implementation can be that
there is only one interface in the hypervisor,
and all pfinet servers connect to the same interface,
so every server should get one copy.
Best,
Zheng Da
