What's New in the MLNX_OFED 3.3 Release

Version 22

    This post highlights the features planned for the upcoming MLNX_OFED 3.3 release.





    SR-IOV Security Features


    MAC Anti-Spoofing (spoof check)

    Normally MAC addresses are unique with fixed addresses -- they do not change. MAC address spoofing (or MAC spoofing) is a method of altering the MAC address for a variety of reasons. For some cases such modifications are legitimate, but in other cases they are attempts to bypass or abuse security mechanisms or hide a possible attacker.  In order to protect from MAC address spoofing on VMs, we need a way to check for possible MAC spoofing when sending any VM traffic.

    The SR-IOV MAC address anti-spoofing  (a.k.a MAC spoofcheck) feature protects from malicious VM MAC address spoofing.


    When a Network Administrator runs the hypervisor to assign a MAC address to the VM, he or she is configuring anti-spoofing for the VF of that VM, which prevents users running the VM from altering the given MAC addresses of that VM.
    For more information, refer to HowTo Configure MAC Anti-Spoofing for VMs over SR-IOV.


    Privileged (Trusted) VFs

    The feature enables users to provide special privileges to a specific trusted Virtual Function (VF). It is possible that a malicious driver could run over one of the VFs and inadvertently give that VF physical function privileges, which might open security holes. For example, letting any VF be in promiscuous mode will enable sniffing and monitoring of the entire physical port for incoming traffic, including traffic targeting other virtual functions.
    For more information, refer toHowTo Configure Privileged VF on ConnectX-4.



    RoCE/Storage Solutions


    Priority Flow Control (PFC) Local Configuration

    Local configuration for PFC was added via the mlnx_qos command, to configure manually the adapter. To learn how to set PFC locally on the host, see HowTo Configure PFC on ConnectX-4.


    Priority Flow Control (PFC)  and ETS Remote Configuration via DCBX LLDP TLVs

    Remote configuration of PFC and ETS can be done via enabling LLDP and DCBX on the firmware. While the adapter is willing to accept the configuration from the switch.
    To learn more how to auto-configure PFC and ETS, see HowTo Auto-Config PFC and ETS on ConnectX-4 via LLDP DCBX.




    Accelerated RFS (aRFS)

    Accelerated Receive Flow Steering (aRFS) boosts the speed of Receive Flow Steering (RFS) by adding support to the hardware. Like RFS, packets are forwarded based on the location of the application consuming the packet. By using aRFS (unlike RFS), the packets will be directed to a CPU that is local to the thread running the application. RFS and aRFS are kernel features currently available in most distributions. The aRFS feature requires explicit configuration in order to enable it, see HowTo Configure aRFS on ConnectX-4 for more information.


    Physical Address Memory Region

    Physical Address Memory Regions (PA-MR) allow the user to manage physical memory used for posting send and receive requests. This feature can improve the performance of storage applications that register large memory regions with random access.

    For more information refer toPhysical Address Memory Region.


    Peer Direct

    Peer direct technology allows Mellanox adapters to transfer data directly between the adapter and another PCIe devices. For more information refer to HowTo Implement PeerDirect Client using MLNX_OFED.


    Quality of Service (QoS)


    Packet Pacing

    ConnectX-4 and ConnectX-4Lx devices allow packet pacing (traffic shaping) per each send queue.

    • Support for 16 different rates
    • Up to 2048 send queues
    • Rates varying from 1 Mbps to line rate in 1 Mbps resolutions
    • Mapping for multiple different queues to the same rate (with each queue paced independently)

    For more information and configuration instructions, refer to HowTo Configure Packet Pacing on ConnectX-4.


    InfiniBand Routers

    InfiniBand (IB) routers are intended to be used to segment a very large network into smaller subnets connected by an IB router. The segmentation can be useful for isolating some of the subnets from each other, or for building a very large network.

    To learn more about IB router architecture and functionality, see IB Router Architecture and Functionality .

    If you already understand the concepts of using routers and want to configure an IB router, see HowTo Configure IB Routers.


    Table of Posts