Skip to content

Meeting Notes, 2022 07 21

Jump to bottom
Taras Chornyi edited this page Aug 4, 2022 · 1 revision

DENT Roadmap and Feature Working Group

===

2022 July 21

Attendees

  • Taras Chornyi (PLVision; switchdev developer)
  • Mickey Rachamim (Marvell)
  • Jon Polom (Department of Defense; research engineer)
  • Robert Marko (Sartura; kernel devel)
  • Luka Perkov (Sartura; principal)
  • Jakov Petrina (Sartura; build system)
  • Pavo Banicevic (Sartura)
  • Kishore Atreya (Marvell PLM)
  • Steve Noble (amazon; DENT TSC lead)
  • Sandeep Nagaraja (amazon; lead engineer)
  • Vincent Tong (amazon)
  • Carl Roth (Amazon)
  • Taskin Ucpinar (Amazon)
  • Sridhar Rao (LF)
  • Dean Lee (Keysight)
  • Elad Nachman (Marvell)
  • Liao Lawrence (Delta)

Agenda

  • C-Release feature status

       - Network Access Control: 802.1x 
      - 802.1x authenticator and userspace tools 
      - 802.1x 

          status: we have an owner (Sartura). Do we have a test plan and commitment do to test cases?

   - STP/RSTP (per vlan stp state)

      - Status: owner: NA

   - IGMP Snooping 

      - Status: owner: NA (marvell driver will support is)

   - IPv6 parity with IPv4 

      - Status: owner: NA (Static IPv6 routing offloading support from Marvell planned))

  - Port Security 

      - Status: owner: NA

  - QoS mapping 

       - Status: owner: NA(Marvell Prestera Switchdev driver will support QoS as part of the DENT 3.0 release.)

  - wireguard application 

       - Status: owner: NA

  - Port Isolation 
  
      - Status: owner: NA (The Prestera driver in the dentOS kernel has port isolation support. This is a global setting per bridge, not per VLAN. Ability to develop and offload private VLAN would be challenging. Port Isolation does not appear to have any support in mlxsw for Spectrum.)

https://github.com/bisdn/meta-open-network-linux(still supported)

Build system slides - done

  • Vendor switchdev features support for C-release

    • Support for BR_LOCKED flag offload (dataplane support from Marvell planned)
      • do we need to backport kernel support for 5.15?
        • it is better to stay with 5.15.
        • if there is someone to backport it we are ok.
    • IGMP snooping (dataplane support from Marvell planned)
    • Static IPv6 routing (offloading support from Marvell planned)

  • 802.1x

    • SARTURA update: - Documentation released for Replica platform in next few weks - Implementation for replica only - based on hostapd. Vlan approached is used - Sartuta will take a look if they will integrate it to dentOS - to be integrated after Replica is done
    • Need FDB locking support (starting from LK 5.18).
      • Do we need to backport it to 5.15 or to move dentOS to 5.18?

  • C-Release feature list

    • Interface configuration management (will we have contribution from DoD?)

    • priority should be to provide verified options with documentation:

      • networkd
      • ifupdown2

    • Security

      • 802.1x
        • authenticator for wired connectivity
        • MAC Address Bypass (MAB)
        • EAP TLS
        • RADIUS assigned VLANs
      • RADIUS
        • "RadSec" TLS tunnel for RADIUS
      • STP security
        • BPDU guard ( guard on or guard off)
        • kernel do support per-VLAN STP but limited, RSTP only
          • need to propose extending the kernel to address this shortcoming
        • need configuration documentation for networkd, ifupdown2

    • DHCP snooping, relay or forwarding

      • Need tc rule developed to trap/block DHCP responses and offers
      • Need to set these rules on certain ports (unauthorized ports) and not set on others (authorized ports)
      • DHCP relay
      • Forward DHCP request to RADIUS
      • Potential upstream projects to add features to:
        • systemd
        • ISC DHCPD

    • IGMP snooping ( dataplane support from Marvell planned)

      • Needs multicast querier support as well
      • Need a use case contributed (DoD will supply)

    • IPv6

      • Static IPv6 routing offloading support from Marvell planned
      • Router Advert (RA) guard
      • MLD snooping?

    • sflow

      • port statistics reporting

    • Wireguard

  • Offer replica-based "alternate" release flavor

  • Begin moving dentOS to replica for build system (do we have an owner and disigion for this?)

  • Additional community feature release built with replica with in kernel BSP (no ONL) for supported hardware

  • TC persistence

    • Amazon developed persistence tool
    • iptables does not work with switchdev -- use TC for ACLs
    • tc flower rules for ACLs and mimic iptables rules
    • support for raw TC rules not a main interface
    • Kind of like iptables-save iptables-load; not a persistent daemon
    • tc rules get accelerated by the switch ASIC
    • somewhat vendor specific idioms for adding tc rules
    • there is a finite rule limit the ASIC supports but tc rule usage is not 1:1

Actions

  • Need to develop specifications for 802.1x driver portion
  • Amazon will provide source for TC persistence tool for review by working group members
  • Get updates from Sartura about .1x implementation
  • Need to get info from Marvell/Nvidia about IPv6 features supported
  • Need to fix an APT problem(current build is broken).
Clone this wiki locally