On 2004-09-15T15:33:47,
Jeff Garzik <jgarzik@xxxxxxxxx> said:
> Then, your host system OS will communicate with the Linux kernel running
> on the card across the PCI bus, using IP packets (64K fixed MTU).
>
> This effectively:
Actually, given that there's almost no reason to offload TCP/IP
processing for speed (better spent the money on CPU / memory for the
main system), I like the idea of this for security: Off-load the packet
filtering to create an additional security barrier. (Different CPU
architecture and all that.)
(With two cards, one could even use the conntrack fail-over internally.
- A Linux-running NIC with builtin firewalling, sell to all the windows
weenies... ;)
With dedicated processors, maybe a IP/Sec accelerator would also be
cool, but I'd think a crypto accelerator for the main system would again
be saner here (unless, of course, the argument of the security domain
isolation is applied again).
Admittedely, one can solve all these differently, but it still might be
cool. ;-)
Sincerely,
Lars Marowsky-Brée <lmb@xxxxxxx>
--
High Availability & Clustering
SUSE Labs, Research and Development
SUSE LINUX AG - A Novell company
|