Kernel comparison: Network Improvement in kernel 2.6

Compared with version 2.4, the new Linux 2.6 kernel has many improvements. The kernel Network option is an area of technological progress. Although most files related to network options are improved, This article focuses only on the improvement and increase of the Main features that affect the entire system, rather than the specific files.

Specifically, this article will introduce the improvement of Network File System (networking file system, NFS) and Internet Protocol Security (Internet Protocol Security, IPSec. We will also contact two new members of the TCP/IP protocol cluster, stream control transmission protocol (sctp) and Internet Protocol version 6 (Internet Protocol version 6, IPv6 ).

Network File System and security

2.6 The kernel has improved the Network File System (NFS) by introducing NFS Version 4 ). This new version of NFS provides better security. It considers more support across different operating systems and reduces the overhead of backend processes on the server.

2.6 kernel introduction to Network File System Version 4 (nfsv4) brings security and functional improvements that have never been seen in previous versions of NFS. Remote Procedure Call (RPC) is implemented using the General Security Service (GSS) API. NFS users can now perform secure transaction processing. The designer also introduced the idea of composite process (combining multiple RPC into one call. The combination of calls means that fewer RPC is required for file system operations, making NFS response faster.

To further reduce NFS overhead,NFS now uses the file "handle-to-path" name mouning (mountd) and the file lockd In the byte range ), this reduces the number of backend processes required by the server.To facilitate server implementation, nfsv4 introduces additional file handle types and provides classification of file and file system attributes. This new NFS version also provides support for server migration and replication, allowing users to seamlessly change the server as needed. Finally, nfsv4 can now authorize the server to some responsibilities of the client in the cache state. This option is required in that case.

Nfs rpc requests can be authenticated using passwords to provide end-to-end NFS security support.Nfsv4 uses the rpcsec_gss framework to extend the basic security of RPC.This security framework enables nfsv4 to provide authentication, integrity, and privacy mechanisms between servers and clients. This joint security negotiation allows the client to securely match the security policy of the server to meet the needs of both the server and the client.

The combination process is another improvement of NFS in version 4 design. Previous versions of NFS have no way for the client to generate File System RPC with complex logic.By using the composite process, the client canLOOKUP,OPENAndREADThe operation is combined into an RPC request so that the client can read data from the file with only one request.The NFS of the old version requires the client to execute RPC once for each of the three operations. The implementation of processing these composite requests on the server side is very simple. The server splits the composite request into a list of separate requests. The server traverses and executes each operation in the list until it ends or fails, return the results of all operations to the client.

Nfsv4 is further simplified by reducing the number of non-NFS Server protocols required by servers. With version 4, the NFS code can map the file handle to the path name. In the old version, this is done by the mountd protocol. The server provides a root file handle, which corresponds to the top of the file system tree exported by the server.. The server supports multiple file systems by connecting them with a pseudo file system, which masks the potential differences in path names between real file systems.This conversion is to support globally classified namespaces.

In addition, this new version of NFS protocol supports file locking in a byte range, while previous versions use the lockd protocol provided by the network lock manager.The restructures supported by File Locking allow the server to maintain the file locking status using the lease-based model.Basically, the client must submit a lock request to the server. If permitted, the client must also update the lease within the lease term specified by the server. After the lease expires, the server can release the client lock. MOUNTD and lockd are deprecated, reducing the processing overhead of running the NFS server.

The new version of NFS also includes improvements to simplify the implementation of NFS servers. The file handle must be permanently maintained within the lifecycle of the file system object referenced by it, which is difficult for some old NFS Server implementations.Nfsv4 adds a variable file handle type to supplement the persistent file handle type.With these two file handle types, the server implementation can be comparable to the file system of the operating system on the server. The client can identify and prepare the type of the file handle provided by the server, and then set operations for each handle.

File and file system attribute classification is another supplement to NFSTo make the server more convenient. The old NFS version uses a fixed set of attributes, but mainly considers UNIX files and file systems. If the server or client does not support specific attributes, it must simulate the attributes as much as possible. Version 4 classifies attributes into three categories: Mandatory, recommended, and named.

Mandatory attributeIs the minimum set of file or file system attributes that the server must correctly provide and describe.Recommended attributesIt describes different file system types and operating systems, and takes into account the better inclusion and interoperability between operating systems.Naming file system attributesA classification is a byte stream associated with a directory or file, which is referenced by a string name. Client Applications can use these named attributes to associate specific data to a file and/or file system. The attribute classification system creates a simple method to add new attributes without making major changes to the Code.

To achieve better redundancy, nfsv4 supports file system replication and migration on the server.. With a special file system location attribute, the client can query the file system location on the server. If the Server File System is copied for load balancing or other similar reasons, the client can obtain all the locations of the requested file system. The client can use its own policies to mount and access the appropriate location of the file system requested by the client. Similarly, if a file system is migrated, the client queries the new location of the file system based on the error obtained when accessing the old location and makes necessary changes to adapt to the location.

The last highlight of nfsv4 isAllows the server to authorize some responsibilities to clients in the cache state, which is required to provide true data integrity.. With nfsv4, the server can provide read or write authorization for a specific file. If a client is authorized to read a file, no other client is allowed to write the file during the authorization period. In addition, if a client is authorized to write a file, no other client can write or read the file during the authorization period. When a client requests a file and the file has been authorized to another client, a conflict occurs and the authorization may be revoked by the server. In this case, the server notifies the authorized user through a callback path between the client and the server and revokes the authorization. Authorization allows the client to use NFS cache for local service operations without real-time interaction with the server. This reduces server load and network transmission.

TCP improvement

Stream Control transmission protocol (sctp) is a new transport layer protocol added in the 2.6 kernel. In addition to the same features of the Transmission Control Protocol (TCP), sctp,It also provides additional features for telephone, data communication, and high-availability applications.

Sctp provides a function similar to TCP, which ensures error-free and serialized data transmission, and establishes a session-oriented, end-to-end connection between two endpoints throughout the data transmission process. However, sctp also provides functions not available in TCP, suchMulti-streaming and multi-HomingThis is crucial for some tasks, such as phone signals over the IP network.

Multi-streaming allows data to be divided into multiple independent sequential streams. As a result, the loss of messages in any stream will only affect the stream, but will not affect other streams. Sctp is message-oriented (TCP is byte-oriented). It supports the construction of independent message boundaries and multiple data streams. If you use a single data stream method used in TCP, more latency may occur when messages are lost or a sequence error occurs. TCP must delay transmission to the application layer until the correct sequence is restored. The delay in data transmission affects the performance of applications that do not require message sorting, such as telephone signals or webpages with multimedia content. Although the phone signal needs to sort messages of the same source (such as the same call), the transmission of other related messages does not require the integrity of the sequence.

For webpages that contain multimedia objects of different types and sizes, you can use multi-streaming to transmit the content in a partially ordered manner instead of using a strictly ordered method. This data transmission flexibility will improve the user experience of transmission. In addition, the idea of data transmission in a single sctp connection means that all streams can depend on a common traffic and congestion control mechanism, which reduces the work required by the transport layer.

Multi-homing is another feature that makes sctp different from traditional transport layer protocols. Multi-homing allows a single sctp endpoint to support multiple IP addresses and provides redundancy when there are multiple routes to the target. TCP and UDP use single-homed sessions. In this way, when access to the local LAN fails, the terminal system is isolated and the failure of the entire network will lead to a Failover failure, until the IP routing protocol re-routes the transmission.

Multi-homed sctp works together with redundant LAN to enhance access to local endpoints. Multiple IP addresses and/or routes with different prefixes plus sctp multi-homing improve network redundancy. The multi-homing feature of sctp does not provide network load balancing and sharing functions. The key purpose of this mechanism is to provide redundant connections for applications on sctp. Sctp specifies an address as the "master" address and uses this address for all data communication. When re-transmission is required, data is sent to all addresses to increase the possibility of reaching another endpoint. When the master connection fails completely, all data is routed to another address. Similar to the method used in standard high availability, a "Heartbeat" signal is sent to the failed master connection, which can be used to determine whether the original connection can be reestablished.

IP Security and Compression

Internet Protocol Security (IPSec) is another enhancement to the 2.6 kernel.IPSec provides methods to authenticate and encrypt network communication on the LAN and Internet.In addition to packet encryption, the 2.6 kernel also provides improved transmission through IP payload compression (ipcomp.Ipcomp is a protocol that uses compression and decompression algorithms to improve transmission quality on slow and/or congested networks..

2.6 The introduction of the kernel to Internet Protocol Security (IPSec) provides users with secure transmission services at the Internet Protocol (IP) layer. IPSec provides a common solution for media and various applications that are combined to form the internet. 2.6 The kernel supports two IPSec mechanisms:Authentication Header (AH) and encapsulated Security Payload (ESP ).They all depend on the authentication algorithm provided by the cryptographic API contained in the 2.6 kernel.

Authentication Header (AH) is an additional header directly added to the IP header to provide Packet Authentication. Packet-level Authentication allows users to ensure that the received package comes from a specific machine and its content is not changed on the transfer path. This mechanism does not try to hide or protect the contents of the package.The main feature provided by ah is the guarantee of package integrity.. To make better use of encryption technology, users should also use ESP.

The encapsulated safe payload (ESP) header is capable of providing encryption and Packet Authentication.Functions provided by ESP include encryption, authentication, "anti-replay (Anti-replay) Service (a form of partial sequence integrity)", and "limited transport stream secret ".Users can choose not to use specific authentication for encryption, but this will make the package vulnerable to attacks, causing others to break the encryption. The ESP header is located after the IP header, before transmission mode (UDP or TCP), or before the encapsulated IP header when tunneling is used.

ESP protects the entire internal IP packet and header.In tunneling mode, the internal IP header carries the preset source and the original destination address. The external IP header contains the IP address used for the jump point, such as the security gateway.

IP payload Compression

IP payload compression (ipcomp) reduces the size of IP datagram. If both ends of the machine have sufficient computing power and communication occurs in congested and/or slow connections, this 2.6 network feature will improve the performance of communication between two endpoints.

The ipcomp protocol is especially suitable for ipsce combination, because the packet size increases when the additional header provided by IPSec is used and required. Ipcomp has two phases: compressing the package sent out and decompressing the received package. Data integrity of the original IP address package is maintained during compression and decompression. Each package is compressed and decompressed independently, because the uncertainty of the Internet memory will disrupt the package arrival sequence.

IPv6 privacy Extension

2.6 kernel features improvedIPv6 Security Options. In addition to IPSec, ipcomp, and IPv6 Tunneling support, the 2.6 kernel also provides IPv6 privacy extension.

IPSec provides IPv6 with the same level of authentication and security as IPv4. The IPv6 to IPv6 tunnel support allows secure and seamless communication between two endpoints, such as transmission over a virtual private network (VPN.

IPv6 privacy extension is especially designed to improve Internet anonymity, so that users can choose to protect their identities when using IPv6 addresses.. The current automatic configuration mode of borderless IP addresses is to use the MAC address of the device (in other words, an Ethernet card or mobile phone number) to define the prefix of the 128-bit IPv6 address. The constant identifiers are used to form the address so that the data can be tracked, which may be exploited by unexpected motives. For example, you only need to know the MAC address of a machine, and the network sniffer can track which machines and when to communicate with the machine.

Network sniffer data is easy to collect, Because regardless of the network topology, the MAC address remains unchanged, even if the machine is a mobile phone or laptop. People who record this data can use this information to track work patterns, locations, and so on.

IPv6 privacy extension allows you to use a random interface identifier to create another IPv6 global address. A machine uses these temporary addresses within a specific period of time until it is reset to another random address. After resetting, the current connection can continue to communicate. However, all new connections must use a new temporary address to establish communication.

Conclusion

Most users will find that one or more of these new or enhanced features can improve the way they use Linux in their respective system environments.

Migrating NFS users to version 4 can achieve the expected performance and security improvements. Developers of the carier-grade and telephone applications can use the features provided by sctp to help them ensure better and more reliable services for consumers and customers. IPSec provides solutions for people and enterprises who need to transmit secure data through insecure networks, ipcomp enables those and enterprises to improve data communication over the Internet by using small packages during transmission. IPv6 enhancement can provide better security and privacy for those who use this next-generation Ineternet protocol, and allow more IPv4 application developers to switch to the IP address of this improved version.

In short, the 2.6 Linux kernel network enhancement is a positive step towards adopting Linux on a large scale in the enterprise environment.

Source

Http://www.ibm.com/developerworks/cn/linux/l-net26.html