From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-yb0-x234.google.com (mail-yb0-x234.google.com [IPv6:2607:f8b0:4002:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 1B1533B2A4 for ; Thu, 4 Jan 2018 16:58:02 -0500 (EST) Received: by mail-yb0-x234.google.com with SMTP id s10so1185386ybl.7 for ; Thu, 04 Jan 2018 13:58:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aenertia.net; s=dkimaenertianet; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=PRzKVByK3kpwVoUKGiPliZdv1pY3cpRIo5OxeemOIAQ=; b=f58uhNCQGpzro8P74U5BpWKkEhcANSFDl3pIiRKnasrIkdqFuWS5nBtQnMBPrYZdtd +QZjVo51TKHAGrEiG0FPwS5hsy601EIu35YSoo5rFIdbfe+mBOQJTz/ETLwbupNyjZ9Y hb+hiMYakOXTb1Si6iLkS9l4PdGC9LjCQOP3I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=PRzKVByK3kpwVoUKGiPliZdv1pY3cpRIo5OxeemOIAQ=; b=iey/z4B/LL3GPFnANsOvR5rXV8pFbgl1rxfddx6R7/uGsdZL3dkkuqt+elfxoOOg65 HWVCmhJCuWK43DAPPLUfKSAOfL/QLpb18CrbgJXH4wqcnKwAiEbFq5JVAWmdZwv3bX+8 xi290wiLHIiJa5yU0riREP7L7lJwX8kAdsh9sgHV4FZZvfbRqNzApF0GK7B7oAWXqI2e SO2aS9LKoXrbNplFTPciJqZwQuUv3q2wanJkUIlcH7zZm+zGBQh/LkUxZLLQ27EmPd3p pTZT5ShqReLrD0TcSXNv2HwnY1U0ruxQ+zY+/C3X3IVuXtSoWtJ1FQTiEA1S3sOyVIC2 iLuw== X-Gm-Message-State: AKGB3mJ6Csv9thM2KHvqycsprn26Fer0zPUa9TNoAD77iDHGui4c18bD UcELyXZr0E1UVrRWIX3b26OCC25VdDGFrgVWw/lv6w== X-Google-Smtp-Source: ACJfBovrOKMazYeID4AEpyxCtRLHC4ODHFlKpAf/E4fgKyiJHPUi/5yseKTxCss5z3jPA0pyexT8kkr/q4/5Cx00EDw= X-Received: by 10.37.50.137 with SMTP id y131mr969256yby.417.1515103081497; Thu, 04 Jan 2018 13:58:01 -0800 (PST) MIME-Version: 1.0 Sender: aenertia@aenertia.net Received: by 10.37.132.135 with HTTP; Thu, 4 Jan 2018 13:57:40 -0800 (PST) In-Reply-To: References: From: =?UTF-8?Q?Joel_Wir=C4=81mu_Pauling?= Date: Fri, 5 Jan 2018 10:57:40 +1300 X-Google-Sender-Auth: N9hhHWha4KC9GJOn7C0fsAx42PU Message-ID: To: Dave Taht Cc: Jonathan Morton , cerowrt-devel@lists.bufferbloat.net Content-Type: multipart/alternative; boundary="001a1146bb3af89ec00561fa6ca3" Subject: Re: [Cerowrt-devel] KASLR: Do we have to worry about other arches than x86? X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 21:58:02 -0000 --001a1146bb3af89ec00561fa6ca3 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Yup - and I know of more than one SDN ISP that is using Lede as their CPE VNF - straight off the x86 build servers. Whilst it's more a Hyper-visor mitigation there are certainly things guest can do to improve situation. But yes we should look at both cases in detail. On 5 January 2018 at 10:54, Dave Taht wrote: > On Thu, Jan 4, 2018 at 1:52 PM, Joel Wir=C4=81mu Pauling > wrote: > > Well as I've argued before Lede ideally should be using to Kernel > Namespaces > > (poor mans containers) for at a minimum the firewall and per-interface > > routing instances. > > Enough stuff landed in the last kernel for me to finally consider that > feasible. > > > > > The stuff I am running at home is mostly on cheap Atom board, so it's a > > matter of squeezing out unneeded cruft on the platform. Also I don't > want to > > be admining centos/rhel servers at home. > > OK, so currently shipped gear is a big unknown then. > > > > > On 5 January 2018 at 10:47, Dave Taht wrote: > >> > >> On Thu, Jan 4, 2018 at 1:44 PM, Joel Wir=C4=81mu Pauling > >> wrote: > >> > > >> > > >> > On 5 January 2018 at 01:09, Jonathan Morton > >> > wrote: > >> >> > >> >> > >> >> > >> >> I don't think we need to worry about it too much in a router contex= t. > >> >> Virtual server folks, OTOH... > >> >> > >> >> - Jonathan Morton > >> >> > >> > Disagree - The Router is pretty much synonymous with NFV > >> > > >> > ; I run my lede instances at home on hypervisors - and this is > >> > definitely > >> > the norm in Datacentres now. We need to work through this quite > >> > carefully. > >> > >> Yes, the NFV case is serious and what I concluded we had most to worry > >> about - before starting to worry about the lower end router chips > >> themselves. But I wasn't aware that people were actually trying to run > >> lede in that, I'd kind of expected > >> a more server-like distro to be used there. Why lede in a NFV? Ease of > >> configuration? Reduced attack surface? (hah) > >> > >> The only x86 chip I use (aside from simulations) is the AMD one in the > >> apu2, which I don't know enough about as per speculation... > >> > >> -- > >> > >> Dave T=C3=A4ht > >> CEO, TekLibre, LLC > >> http://www.teklibre.com > >> Tel: 1-669-226-2619 > > > > > > > > -- > > Dave T=C3=A4ht > CEO, TekLibre, LLC > http://www.teklibre.com > Tel: 1-669-226-2619 > --001a1146bb3af89ec00561fa6ca3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Yup - and I know of more than one SDN ISP that is using Lede as= their CPE VNF - straight off the x86 build servers.

Whilst it'= ;s more a Hyper-visor mitigation there are certainly things guest can do to= improve situation.

But yes we should look at both cases in detail.=

O= n 5 January 2018 at 10:54, Dave Taht <dave.taht@gmail.com>= wrote:
On Thu, Jan 4, 2= 018 at 1:52 PM, Joel Wir=C4=81mu Pauling <joel@aenertia.net> wrote:
> Well as I've argued before Lede ideally should be using to Kernel = Namespaces
> (poor mans containers) for at a minimum the firewall and per-interface=
> routing instances.

Enough stuff landed in the last kernel for me to finally consider th= at feasible.

>
> The stuff I am running at home is mostly on cheap Atom board, so it= 9;s a
> matter of squeezing out unneeded cruft on the platform. Also I don'= ;t want to
> be admining centos/rhel servers at home.

OK, so currently shipped gear is a big unknown then.

>
> On 5 January 2018 at 10:47, Dave Taht <dave.taht@gmail.com> wrote:
>>
>> On Thu, Jan 4, 2018 at 1:44 PM, Joel Wir=C4=81mu Pauling <joel@aenertia.net>
>> wrote:
>> >
>> >
>> > On 5 January 2018 at 01:09, Jonathan Morton <chromatix99@gmail.com>
>> > wrote:
>> >>
>> >>
>> >>
>> >> I don't think we need to worry about it too much in a= router context.
>> >> Virtual server folks, OTOH...
>> >>
>> >>=C2=A0 - Jonathan Morton
>> >>
>> > Disagree - The Router is pretty much synonymous with NFV
>> >
>> > ; I run my lede instances at home on hypervisors - and this i= s
>> > definitely
>> > the norm in Datacentres now. We need to work through this qui= te
>> > carefully.
>>
>> Yes, the NFV case is serious and what I concluded we had most to w= orry
>> about - before starting to worry about the lower end router chips<= br> >> themselves. But I wasn't aware that people were actually tryin= g to run
>> lede in that, I'd kind of expected
>> a more server-like distro to be used there. Why lede in a NFV? Eas= e of
>> configuration? Reduced attack surface? (hah)
>>
>> The only x86 chip I use (aside from simulations) is the AMD one in= the
>> apu2, which I don't know enough about as per speculation... >>
>> --
>>
>> Dave T=C3=A4ht
>> CEO, TekLibre, LLC
>> http://www.teklibre.com
>> Tel: 1-669-226-2619
>
>



--

Dave T=C3=A4ht
CEO, TekLibre, LLC
ht= tp://www.teklibre.com
Tel: 1-669-226-2619

--001a1146bb3af89ec00561fa6ca3--