At 18:43 12-12-02 -0200, Gustavo Niemeyer wrote:
One of our customers claims that some guy at the local IBM office told
him that he would get additional security benefits if he routed packets
through the TCPIP machine, instead of connecting the virtual Linux
machine directly to the OSA channel.
If you're talking about OSA with QDIO, then I think there are situations
where you want to have a virtual router rather than direct access to the
OSA device. The IP address assignment is done with the qeth driver, so
anyone with root on that Linux could assign any IP address (or VIPA
address) they like. With the older OSA devices through the lcs driver you
can have addresses assigned with OSA/SF. Being unable to fix the IP address
may be a problem if you want to give root access to your customers.
This is not worse than with PC Ethernet cards, but each card would have its
own wire and they could plug into some equipment that fixes the IP address.
In the case of OSA adapters your Linux images share the same 'wire' so you
have no option to do things in a switch.
If you use a virtual router to own the OSA (either Linux or VM TCP/IP) you
connect your Linux guests through IUCV so that they can not tamper with the
device. Because a Linux virtual router basically is a system that can do
much more than what you want it to do, you may need to be careful to close
all doors and windows. The VM TCP/IP stack does not need a 'login' to
configure it, so it may be easier to restrict access to it.
There is a limit to the number systems that can share an OSA Express
device, and if you have fairly idle servers you may reach that number
before you saturate the Gigabit Ethernet port.
QDIO devices get more efficient at higher bandwidth (because buffers get
filled better and less handshaking is done). This works out both in CPU
time and memory usage. Depending on the shape of network traffic, the
savings may be more than the cost of the virtual router.
Rob