[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v3 1/3][xen-netback] add a pseudo pps rate limit

To: William Dauchy <william@xxxxxxxxx>
From: Sander Eikelenboom <linux@xxxxxxxxxxxxxx>
Date: Tue, 9 Jul 2013 16:42:29 +0200
Cc: Ahmed Amamou <ahmed@xxxxxxxxx>, Kamel Haddadou <kamel@xxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Ian Campbell <Ian.Campbell@xxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxx>
Delivery-date: Tue, 09 Jul 2013 14:42:52 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Tuesday, July 9, 2013, 4:01:17 PM, you wrote:

> On Jul09 15:48, Sander Eikelenboom wrote:
>> Just wondering, why should this be done in the drivers ?
>> Couldn't this also be achieved with netfilter and the recent/limit modules ?
>> The limit module can already handle bursts.

> We indeed forgot to talk about it since we already got the question from
> Wei.
> The first thing is that your comment is also true for bandwidth which is
> already present. Moreover PPS is linked to bandwidth.
> By using netfilter, PPS shaping is done on backend level, once packet
> has left the VM; which means after using an additional memory transaction
> to copy packet from frontend. IMHO, at scale, shaping in this way should
> save some memory transactions comparing to netfilter.

Ok so the main usage scenario is not inbound traffic from the outside world 
that issues a (D)DOS,
but rather a (malicious) guest that could issue a DOS on the host system by
draining the resources of the netback driver by sending many packets per second.
And that this scenario can't be circumvented with netfilter because it doesn't 
come into play yet (on the host).

--
Sander



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v3 1/3][xen-netback] add a pseudo pps rate limit
  - From: William Dauchy

References:
- [Xen-devel] [PATCH v3 0/3][xen-netback][toolstack] add a pseudo pps limit to netback
  - From: William Dauchy
- [Xen-devel] [PATCH v3 1/3][xen-netback] add a pseudo pps rate limit
  - From: William Dauchy
- Re: [Xen-devel] [PATCH v3 1/3][xen-netback] add a pseudo pps rate limit
  - From: Sander Eikelenboom
- Re: [Xen-devel] [PATCH v3 1/3][xen-netback] add a pseudo pps rate limit
  - From: William Dauchy

Prev by Date: Re: [Xen-devel] RFC: Automatically making a PCI device assignable in the config file
Next by Date: Re: [Xen-devel] [PATCH] x86/xen: do not identity map E820 memory regions that are UNUSABLE
Previous by thread: Re: [Xen-devel] [PATCH v3 1/3][xen-netback] add a pseudo pps rate limit
Next by thread: Re: [Xen-devel] [PATCH v3 1/3][xen-netback] add a pseudo pps rate limit
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.