On 2011-11-26 12.48, Johnny Billquist wrote:
On 2011-11-26 12.05, H Vlems wrote:
What I've read about the "enhancements" to the bridge program is yet
another
matter. First off, it ain't called bridge for nothing: like any layer 2
bridge the program moves packets between ports and is transparent to both
the content of the datagrams and the functionality of the protocol.
Including DNS like functionality violates that rule.
I also wanted to keep the complexity and overhead down. Otherwise, yes,
you could change from UDP to TCP, include SSL, and certificates, to make
sure we keep it safe. But that would incur quite some costs both from an
administrative point of view, as well as lots more CPU resources to run
the bridge, and also more problems in porting it to other systems.
To expand, perhaps, a little here.
If we switched to TCP, any change in IP addresses would be detected
"immediately", since the TCP connection would be lost at an IP change.
At that point, the bridge would need to re-resolve the address, and try to establish a
connection again. That would have to be repeated regularly until a connection comes up.
Since this is very blocking, we'd have to change the bridge to be threaded, so that
you have one thread per connection. And then queue packets inside the bridge, with
throwing away when queues become to large, in order to prevent other connections from
becoming affected.
In addition, this would affect the complexity of things like config reloads. Everything
is, as usual, doable, but the work involved is not trivial. And then, of course, we have
all the certificate issues, and all the code to deal with them.
And then, also, TCP can introduce unwanted network delays and burstiness. It really
don't fit well with what the bridge do. It provides services not really needed.
And I really like simple solutions... :-)
Johnny