Thomas Graf <tg...@suug.ch> wrote: > On 12/01/16 at 10:11am, Florian Westphal wrote: > > Aside from this, XDP, like DPDK, is a kernel bypass. > > You might say 'Its just stack bypass, not a kernel bypass!'. > > But what does that mean exactly? That packets can still be passed > > onward to normal stack? > > Bypass solutions like netmap can also inject packets back to > > kernel stack again. > > I have a fundamental issue with the approach of exporting packets into > user space and reinjecting them: Once the packet leaves the kernel, > any security guarantees are off. I have no control over what is > running in user space and whether whatever listener up there has been > compromised or not. To me, that's a no go, in particular for servers > hosting multi tenant workloads. This is one of the main reasons why > XDP, in particular in combination with BPF, is very interesting to me.
Funny, I see it exactly the other way around :) To me packet coming from this "userspace injection" is no different than a tun/tap, or any other packet coming from network. I see no change or increase in attack surface.
