Difference between revisions of "Differences between venet and veth"

From OpenVZ Virtuozzo Containers Wiki
Jump to: navigation, search
(Differences between venet and veth)
 
 
(11 intermediate revisions by 8 users not shown)
Line 1: Line 1:
= Differences between venet and veth =
+
OpenVZ provides [[veth]] (Virtual ETHernet) or [[venet]] (Virtual NETwork) devices (or both) for in-[[CT]] networking. Here we describe the differences between those devices.
* veth allows broadcasts in VE, so you can use even dhcp server inside VE or samba server with domain broadcasts or other such stuff.
+
 
* veth has some security implications, so is not recommended in untrusted environments like HSP. This is due to broadcasts, traffic sniffing, possible IP collisions etc. i.e. VE user can actually ruin your ethernet network with such direct access to ethernet layer.
+
* ''veth'' allows broadcasts in CT, so you can use even a DHCP server inside a CT, or a samba server with domain broadcasts or other such stuff.
* With venet device, only node administrator can assign an IP to a VE. With veth device, network settings can be fully done on VE side. VE should setup correct GW, IP/mask etc and node admin then can only choose where your traffic goes.
+
* ''veth'' has some security implications. It is normally bridged directly to the host physical ethernet device and so must be treated with the same considerations as a real ethernet device on a standalone host. The CT users can access a ''veth'' device as they would a real ethernet interface. However, the CT root user is the only one that has priviledged access to the ''veth'' device.
* veth devices can be bridged together and/or with other devices. For example, in host system admin can bridge veth from 2 VEs with some VLAN eth0.X. In this case, these 2 VEs will be connected to this VLAN.
+
* With ''venet'' device, only OpenVZ host node administrator can assign an IP to a CT. With ''veth'' device, network settings can be fully done on CT side by the CT administrator. CT should setup correct gateway, IP/netmask etc. and then a [[HN|node]] admin can only choose where your traffic goes.
* venet device is a bit faster and more efficient.
+
* ''veth'' devices can be bridged together and/or with other devices. For example, in host system admin can bridge ''veth'' from 2 CTs with some VLAN eth0.X. In this case, these 2 CTs will be connected to this VLAN.
* With veth devices IPv6 auto generates an address from MAC.
+
* ''venet'' device is a bit faster and more efficient.
 +
* With ''veth'' devices, IPv6 auto generates an address from MAC.
  
 
The brief summary:
 
The brief summary:
 
{| class="wikitable" style="text-align: center;"
 
{| class="wikitable" style="text-align: center;"
 
|+ '''Differences between veth and venet'''
 
|+ '''Differences between veth and venet'''
! Feature !! veth !! venet
+
! Feature !! [[veth]] !! [[venet]]
 
|-
 
|-
 
! MAC address
 
! MAC address
 
| {{yes}} || {{no}}
 
| {{yes}} || {{no}}
 
|-
 
|-
! Broadcasts inside VE
+
! Broadcasts inside CT
 
| {{yes}} || {{no}}
 
| {{yes}} || {{no}}
 
|-
 
|-
Line 22: Line 23:
 
|-
 
|-
 
! Network security
 
! Network security
| low <ref>Due to broadcasts, sniffing and possible IP collisions etc.</ref> || hi
+
| style="background: #ffdddd" | Low <ref>Independent of host.  Each CT must setup its own separate network security.</ref>
 +
| style="background: #ddffdd" | High<ref>Controlled by host.</ref>
 
|-                         
 
|-                         
 
! Can be used in bridges
 
! Can be used in bridges
 
| {{yes}} || {{no}}
 
| {{yes}} || {{no}}
 +
|-
 +
! IPv6 ready
 +
| {{yes}} || {{yes}}
 
|-
 
|-
 
! Performance
 
! Performance
| fast || fastest
+
| style="background: #ffdddd" | Fast
 +
| style="background: #ddffdd" | Fastest
 
|-
 
|-
 
|}
 
|}
 
<references/>
 
<references/>
 +
 +
 +
[[Category: Networking]]

Latest revision as of 10:17, 22 March 2012

OpenVZ provides veth (Virtual ETHernet) or venet (Virtual NETwork) devices (or both) for in-CT networking. Here we describe the differences between those devices.

  • veth allows broadcasts in CT, so you can use even a DHCP server inside a CT, or a samba server with domain broadcasts or other such stuff.
  • veth has some security implications. It is normally bridged directly to the host physical ethernet device and so must be treated with the same considerations as a real ethernet device on a standalone host. The CT users can access a veth device as they would a real ethernet interface. However, the CT root user is the only one that has priviledged access to the veth device.
  • With venet device, only OpenVZ host node administrator can assign an IP to a CT. With veth device, network settings can be fully done on CT side by the CT administrator. CT should setup correct gateway, IP/netmask etc. and then a node admin can only choose where your traffic goes.
  • veth devices can be bridged together and/or with other devices. For example, in host system admin can bridge veth from 2 CTs with some VLAN eth0.X. In this case, these 2 CTs will be connected to this VLAN.
  • venet device is a bit faster and more efficient.
  • With veth devices, IPv6 auto generates an address from MAC.

The brief summary:

Differences between veth and venet
Feature veth venet
MAC address Yes No
Broadcasts inside CT Yes No
Traffic sniffing Yes No
Network security Low [1] High[2]
Can be used in bridges Yes No
IPv6 ready Yes Yes
Performance Fast Fastest
  1. Independent of host. Each CT must setup its own separate network security.
  2. Controlled by host.
Retrieved from "https://wiki.openvz.org/index.php?title=Differences_between_venet_and_veth&oldid=12145"