This post highlights the features planned for the upcoming MLNX_OFED 3.3 release.
- SR-IOV Security Features
- RoCE/Storage Solutions
- Quality of Service (QoS)
- InfiniBand Routers
- Table of Posts
SR-IOV Security Features
MAC Anti-Spoofing (spoof check)
Normally MAC addresses are unique with fixed addresses -- they do not change. MAC address spoofing (or MAC spoofing) is a method of altering the MAC address for a variety of reasons. For some cases such modifications are legitimate, but in other cases they are attempts to bypass or abuse security mechanisms or hide a possible attacker. In order to protect from MAC address spoofing on VMs, we need a way to check for possible MAC spoofing when sending any VM traffic.
The SR-IOV MAC address anti-spoofing (a.k.a MAC spoofcheck) feature protects from malicious VM MAC address spoofing.
When a Network Administrator runs the hypervisor to assign a MAC address to the VM, he or she is configuring anti-spoofing for the VF of that VM, which prevents users running the VM from altering the given MAC addresses of that VM.
For more information, refer to HowTo Configure MAC Anti-Spoofing for VMs over SR-IOV.
Privileged (Trusted) VFs
The feature enables users to provide special privileges to a specific trusted Virtual Function (VF). It is possible that a malicious driver could run over one of the VFs and inadvertently give that VF physical function privileges, which might open security holes. For example, letting any VF be in promiscuous mode will enable sniffing and monitoring of the entire physical port for incoming traffic, including traffic targeting other virtual functions.
For more information, refer toHowTo Configure Privileged VF on ConnectX-4.
Priority Flow Control (PFC) Local Configuration
Local configuration for PFC was added via the mlnx_qos command, to configure manually the adapter. To learn how to set PFC locally on the host, see HowTo Configure PFC on ConnectX-4.
Priority Flow Control (PFC) and ETS Remote Configuration via DCBX LLDP TLVs
Remote configuration of PFC and ETS can be done via enabling LLDP and DCBX on the firmware. While the adapter is willing to accept the configuration from the switch.
To learn more how to auto-configure PFC and ETS, see HowTo Auto-Config PFC and ETS on ConnectX-4 via LLDP DCBX.
Accelerated RFS (aRFS)
Accelerated Receive Flow Steering (aRFS) boosts the speed of Receive Flow Steering (RFS) by adding support to the hardware. Like RFS, packets are forwarded based on the location of the application consuming the packet. By using aRFS (unlike RFS), the packets will be directed to a CPU that is local to the thread running the application. RFS and aRFS are kernel features currently available in most distributions. The aRFS feature requires explicit configuration in order to enable it, see HowTo Configure aRFS on ConnectX-4 for more information.
Physical Address Memory Region
Physical Address Memory Regions (PA-MR) allow the user to manage physical memory used for posting send and receive requests. This feature can improve the performance of storage applications that register large memory regions with random access.
For more information refer toPhysical Address Memory Region.
Peer direct technology allows Mellanox adapters to transfer data directly between the adapter and another PCIe devices. For more information refer to HowTo Implement PeerDirect Client using MLNX_OFED.
Quality of Service (QoS)
ConnectX-4 and ConnectX-4Lx devices allow packet pacing (traffic shaping) per each send queue.
- Support for 16 different rates
- Up to 2048 send queues
- Rates varying from 1 Mbps to line rate in 1 Mbps resolutions
- Mapping for multiple different queues to the same rate (with each queue paced independently)
For more information and configuration instructions, refer to HowTo Configure Packet Pacing on ConnectX-4.
InfiniBand (IB) routers are intended to be used to segment a very large network into smaller subnets connected by an IB router. The segmentation can be useful for isolating some of the subnets from each other, or for building a very large network.
To learn more about IB router architecture and functionality, see IB Router Architecture and Functionality .
If you already understand the concepts of using routers and want to configure an IB router, see HowTo Configure IB Routers.
Table of Posts
|MAC Anti-Spoofing||HowTo Configure MAC Anti-Spoofing for VMs over SR-IOV|
|Privileged VFs||HowTo Configure Privileged VF on ConnectX-4|
|PFC on ConnectX-4||HowTo Configure PFC on ConnectX-4|
|aRFS||HowTo Configure aRFS on ConnectX-4|
|Packet Packing||HowTo Configure Packet Pacing on ConnectX-4|
|Physical Address Memory Region||Physical Address Memory Region|
|IB Router Architecture and Functionality||IB Router Architecture and Functionality|
|Configuring IB Routers||HowTo Configure IB Routers|
|Peer Direct||HowTo Implement PeerDirect Client using MLNX_OFED|
|DCBX support||HowTo Auto-Config PFC and ETS on ConnectX-4 via LLDP DCBX|