Home & Office

Crossbow's golden arrows

Sun's Project Crossbow, now in the OpenSolaris code base, separates physical network interfaces from the OS code accessing that hardware - meaning superficially that it virtualizes networks, more substantively that OpenSolaris on AMD can now compete with Cisco/IOS at 10 cents on the Cisco dollar - and more deeply that people who care about network security now have an exciting new option.
Written by Paul Murphy, Contributor

Sun's Project Crossbow has now been released to production versions of OpenSolaris for x86 - and will, RSN, appear in supported releases for SPARC.

Nominally what Crossbow does is fully virtualize network interfaces - interposing a virtualization layer between the hardware and the OS to allow mapping of many virtual network interfaces, each essentially indistinguishable in operation from physical hardware, to one real card or port - here's the 411 direct from the Crossbow development site:

Key Features Integrated in Nevada build 105 (Dec 4th, 2008) and available in the next release of OpenSolaris:

  • Performance & latency improvements
    • Dynamic Polling and H/W Classification
    • HW and S/W fanouts to multiple cores
    • Parallelizing the stack all the way from HW to application

  • Virtualization
    • Virtual Wire(TM) - Ability of create Network in a Box
    • NIC Virtualization - HW and S/W based VNICs
    • Etherstubs (Virtual Switches)
    • Service Virtualization - Flows
    • IP Instances for Zones

  • Resource partitioning
    • Bandwidth partitioning for NICs/VNICs/Flows
    • CPU resource and priority assignment on per datalink (NIC/VNIC/Aggr) bassis
    • Class of Service support based on Diffserv tags (DSCP)

  • Flows
    • Based on IP addresses, IP Subnets, Transport and ports
    • Bandwidth control and priority for Flows

  • Analytics/Observability
    • Real Time usage for flows and datalinks
    • Usage history for flows and datalinks
    • Fine grained, per link statistics like packets received via

  • intr/poll, chain lengths, Tx block/wakeup count etc. (Currently tracked by the kernel on per datalink/flow bassis and available from 'mdb' macros such as 'mac_flow' and 'mac_srs').

On its face Crossbow addresses a number of typical sysadmin issues with the use of network interfaces in zones or containers - particularly the problem that the lack of absolute isolation from the physical hardware meant that NIC access had to be co-ordinated outside the zone management function.

That's no longer an issue: you can now (or will soon be able to) consider network interfaces as integral to either containers or zones and move them around with the same cheerful joie de vive we've all previously been applying to files, users, and rights.

To be honest my personal reaction to all this is along the lines of "oh, Whoopidee do!" because the whole business of sticking multiple NIC cards in a machine and tying them to applications is a Wintel/x86 thing with no role in a well run SPARC/Solaris shop where normal Unix device sharing works perfectly well.

However... Crossbow is important -and thus well worth your time to learn about- in two distinct ways:

  1. Crossbow offers, for x86 users, an important reason for choosing OpenSolaris over a BSD, Linux, or even Windows alternative; and,
  2. Crossbow opens an entire new applications market in network routing and packet management for Sun.

A high volume, high reliability, switch router from someone like Cisco can easily run into the thirty thousand and up range - and everything it does can now be done on a $6K AMD box running OpenSolaris against a couple of multi-port gigabit ethernet cards.

When Sun bought Cobalt back in 2000, part of the dream was to build on the company's expertise to make and sell a true network connectivity appliance but, between technology limitations and the destructive response from middle management, it didn't happen - then.

Today the stars look aligned to make this work: there's more open source expertise, the technology is vastly better, and any volume achievements will not depend on Sun's regular sales channels.

The latter will, I think, prove to be important for Sun first and the industry second because it reduces data center costs and clutter quite considerably while extending the typical Unix sysadmin's span of control into network management.

That's cool - and even cooler? There's actually something there for guys like me too: Crossbow fits the packet handling changes made to the N1 during the N2 transition - thus making use of the on-board cryptology processors in that machine easy for people who want to use Crossbow to handle routing on secure networks simply by creating dedicated zones on Coolthreads servers.

And that's a big deal - because it wipes out two very dangerous sources of vulnerability (IOS and the Cisco guy), improves performance, and eliminates a couple of cost sources into the bargain. Progress, at least as far as I'm concerned, doesn't get better than this - and that's the bottom line.

Editorial standards