On Sat, Feb 27, 2021 at 7:10 AM Rodney W. Grimes < freebsd-rwg_at_gndrsh.dnsmgr.net> wrote: > > On Fri, Feb 26, 2021 at 9:24 AM Rodney W. Grimes < > > freebsd-rwg_at_gndrsh.dnsmgr.net> wrote: > > > > > > My understanding is that KTLS works very well with OpenSSL for > sending, > > > but > > > > not as well for receiving, because there's nothing like a recvfile > > > > syscall. However, it works great for both send and receive with NFS, > > > where > > > > all the data remains in the kernel. What about zfs recv? A very > common > > > > pattern is for an application to read from an SSL socket and then > pipe > > > the > > > > data to zfs recv. For example, zrepl does that. Could zfs recv > instead > > > > read directly from the KTLS socket, bypassing userspace? That could > > > > potentially save a _lot_ of cycles for a _lot_ of people. > > > > > > I did some patches and a short presentation at BSDCan that basically > > > shoves the whole zfs send and zfs recv process into the kernel, ie > > > it opens the sockets up, makes the connections, then the socket > > > is passed into the kernel(s) and it all runs in kernel mode. > > > > > > > > > > https://www.bsdcan.org/2018/schedule/attachments/479_BSDCan-2018-zfs-send.pdf > > > > > > A few things need fixed like reversing who does the listen for > > > security reasons, but this feature is probably ready for prime > > > time. > > > > > > > -Alan > > > > > > -- > > > Rod Grimes > > > rgrimes_at_freebsd.org > > > > > > That looks potentially useful, but it doesn't use encryption. Would it > > work if the socket had been opened by openssl with ktls? > > Alan, > Should I revise the code to meet the state that was discussed > during the BSDCan talk so that it can be committed? Matt Aherns said > at the time he felt if I just reversed the listen/connect relationship > between send and recv that it addressed enough of the security concern > to be usable "on a local and well administered" network and would > probably be safe to import into upstream ZFS. (This was prior to > FreeBSD moving to openzfs.) > > From other discussion in this thread it does not sound difficult to > implement the KTLS end of it, but I doubt that would be portable > enough to upstream, maybe someone can speak to that issue? > > -- > Rod Grimes > rgrimes_at_freebsd.org Rod, it would be great if we can get that code committed. I'll try to come up with a OpenSSL->zfs recv POC program next week. And I think we should try to upstream it to OpenZFS, too. They aren't strict about portability; plenty of OS-specific features have made it into their repo. -AlanReceived on Sat Feb 27 2021 - 14:20:35 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:27 UTC