Re: [sami] A new draft on state migration use cases is submitted.

I have the following documents to get some reference data,
http://people.netfilter.org/kadlec/nftest.pdf

The "filtering rules" is like ACLs. As the numbers increase, the performance of different software have declined.

-----Original Message-----
From: sami-bounces@ietf.org [mailto:sami-bounces@ietf.org] On Behalf Of Linda Dunbar
Sent: Tuesday, October 11, 2011 4:46 AM
To: 刘茗(研六 福州); Yingjie Gu(yingjie); 'Juergen Schoenwaelder'
Cc: 'A tao'; sami@ietf.org
Subject: Re: [sami] A new draft on state migration use cases is submitted.

Tao, 

That is an interesting description. Can you elaborate a little bit on pros and cons of hypervisor CPU taken by the security vs. the extra processing on switches? 

Linda 

> -----Original Message-----
> From: sami-bounces@ietf.org [mailto:sami-bounces@ietf.org] On Behalf Of
> 刘茗(研六 福州)
> Sent: Monday, October 10, 2011 9:25 AM
> To: Yingjie Gu(yingjie); 'Juergen Schoenwaelder'
> Cc: 'A tao'; sami@ietf.org
> Subject: Re: [sami] A new draft on state migration use cases is
> submitted.
> 
> Dear  Yingjie,
> 
> Yes, you got my point. Our customers deploy the virtualization in order
> to improve the utility of hardware resources, especially the CPU . But
> the security policy executed by the hypervisor will consume the CPU
> resource without money back. So if the switches can migrate the
> security policy across the physical machine, it will make more money
> back.
> 
> Oh, I forgot introducing myself. My name is Ming Liu. I'm  a product
> manager from a network product vendor in China mainland and in charge
> of solutions and products for Data Center. And our customers include
> government, universities, ICP and so on .
> 
> -----Original Message-----
> From: Yingjie Gu(yingjie) [mailto:guyingjie@huawei.com]
> Sent: Monday, October 10, 2011 9:25 AM
> To: 'Juergen Schoenwaelder'; 刘茗(研六 福州)
> Cc: 'A tao'; sami@ietf.org
> Subject: Re: [sami] A new draft on state migration use cases is
> submitted.
> 
> Ming, you'd better introduce yourself :)
> 
> My understanding of these words is that, instead of deploying ACLs on
> Hypervisor and try to migrate ACLs between Hypervisors, the customer
> would like the ACLs be deployed on switches and migrate ACLs between
> switches.
> 
> Is this what you mean, Ming?
> 
> 
> Best Regards
> Gu Yingjie
> 
> -----邮件原件-----
> 发件人: sami-bounces@ietf.org [mailto:sami-bounces@ietf.org] 代表
> Juergen Schoenwaelder
> 发送时间: 2011年10月10日 乐乐0:02
> 收件人: 刘茗(研六 福州)
> 抄送: A tao; sami@ietf.org
> 主题: Re: [sami] A new draft on state migration use cases is submitted.
> 
> On Sun, Oct 09, 2011 at 01:41:24PM +0000, 刘茗(研六 福州) wrote:
> > One of our customers, the leader of online shopping provider in china,
> have the same requirement.  They run VMs on the power x86 machine with
> KVM hypervisor. For some security reasons, they applied the ACLs
> through the Linux’s IPtable running on the Hypervisor. But when the VM
> floating , the IPtable profile can not be migrated to the other machine.
> So they hope the switch can replace the IPTable  and can migrates the
> ACL profiles for the VM when floating .
> 
> The switches really have nothing to do with ACLs sitting in the
> hypervisor. Making the switches responsible for migrating the ACLs
> seems broken to me.
> 
> /js
> 
> --
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
> Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>
> _______________________________________________
> sami mailing list
> sami@ietf.org
> https://www.ietf.org/mailman/listinfo/sami
> 
> _______________________________________________
> sami mailing list
> sami@ietf.org
> https://www.ietf.org/mailman/listinfo/sami
_______________________________________________
sami mailing list
sami@ietf.org
https://www.ietf.org/mailman/listinfo/sami