Virtual Networking Devices: Difference between revisions

In physical world, computer systems typically consist of one or more physical network adapter something like ethx, enox.

However, in virtual networking world, TUN, TAP and veth Pairs are used for virtual network connectivity on host. which we can assign an IP to it, analyze the traffic, route traffic to it etc.^[1]

Ref - packetcoders io

Basic aspects and limitations of standard Linux bridges^[2]

• A “tap” device attached to one Linux bridge cannot be attached to another Linux bridge.
• All attached devices are switched into the promiscuous mode.
• The bridge itself (not a tap device at a port!) can get an IP address and may work as a standard Ethernet device. The host can communicate via this address with other guests attached to the bridge.
• Properly configured the bridge transfers packets directly between two specific bridge ports related to the communication stream of 2 attached guests – without exposing the communication to other ports and other guests. The bridge may learn and update the relevant association of MAC addresses to bridge ports.
• The virtual bridge device itself – in its role as an Ethernet device – does not work in promiscuous mode. However, packets arriving through one of its ports for (yet) unknown addresses may be flooded to all ports.
• You cannot bridge a Linux bridge directly by or with another Linux bridge (no Linux bridge cascading). You can neither connect a Linux bride to another Linux bridge via a “tap” device.

vtap (network tap)

A virtual “tap” device is a virtual single point to point device - a file descriptor (fd) is read/written, operates in layer 2 carrying raw Ethernet frames - in user space program or inside of virtual machine. KVM/qemu virtualization uses vtap.^[3]

Because it works at layer two, vtap transport any network protocols (IPv4, IPv6, Netalk, IPX, etc) and Ethernet frames but non-IP based traffic that can work with bridge not router.

vtun (tunnel)

like vtap, vtun device is a single point to point device in user space program. however, it operates at layer 3 carrying IP based packets^[3].

vtun is commonly used by VPN clients to establish a connection between the client and the OS networking stack. This allows a VPN to encrypt your data before forwarding it onto the VPN server through the tunnel. Because vtun works at layer three of the networking stack, it deals exclusively in network protocol packets (IPv4 and IPv6 packets) and can only be used for routing (not for bridging)

veth

A virtual "eth" devices are a pairs of connected virtual Ethernet interfaces like physical network cable with both end. each veth-device of a pair can be attached to different virtual networking components together, such as Linux bridges, OVS bridges and LXC containers or VMware network.

*KVM guest need to have macVtap/macVlan to bridge a veth^[4].

References