From dc2f198866c5fd8162a79978eb3633975d3ba11f Mon Sep 17 00:00:00 2001 From: Ian Gudger Date: Mon, 6 Apr 2020 16:27:38 -0700 Subject: Update networking security blog post --- content/blog/2_networking_security/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'content') diff --git a/content/blog/2_networking_security/index.md b/content/blog/2_networking_security/index.md index 6558c8384..1bab822f1 100644 --- a/content/blog/2_networking_security/index.md +++ b/content/blog/2_networking_security/index.md @@ -37,7 +37,7 @@ Figure 1: Netstack and gVisor ## Writing a network stack -Netstack was written from scratch specifically for gVisor. There are now other users (e.g. [Fuchsia](https://fuchsia.googlesource.com/fuchsia/+/refs/heads/master/src/connectivity/network/netstack/)), but they came later. As we discussed, a custom network stack has enabled a variety of security-related goals which would not have been possible any other way. This came at a cost though. Network stacks are complex and writing a new one comes with many challenges, mostly related to application compatibility and performance. +Netstack was written from scratch specifically for gVisor. Because Netstack was designed and implemented to be modular, flexible and self-contained, there are now several more projects using Netstack in creative and exciting ways. As we discussed, a custom network stack has enabled a variety of security-related goals which would not have been possible any other way. This came at a cost though. Network stacks are complex and writing a new one comes with many challenges, mostly related to application compatibility and performance. Compatibility issues typically come in two forms: missing features, and features with behavior that differs from Linux (usually due to bugs). Both of these are inevitable in an implementation of a complex system spanning many quickly evolving and ambiguous standards. However, we have invested heavily in this area, and the vast majority of applications have no issues using Netstack. For example, [we now support setting 34 different socket options](https://github.com/google/gvisor/blob/815df2959a76e4a19f5882e40402b9bbca9e70be/pkg/sentry/socket/netstack/netstack.go#L830-L1764) versus [only 7 in our initial git commit](https://github.com/google/gvisor/blob/d02b74a5dcfed4bfc8f2f8e545bca4d2afabb296/pkg/sentry/socket/epsocket/epsocket.go#L445-L702). We are continuing to make good progress in this area. -- cgit v1.2.3