Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 16 Next »

The Internet Stack

Every application program interacts with the Internet through a programming interface provided by the Operating System Kernel known as the Socket API originally defined by UC Berkeley in its BSD Unix system. A client program can specify one network adapter by its IP address or let the operating system choose the best available adapter. It specifies the other end (the server) by an IP address (determined by looking up the name in DNS) and the port number of a service (such as 443 for the Web https: protocol). A connection is established between the client and server through the internet. Each end then sends data by presenting varying length blocks of bytes which are treated as a continuous stream of bytes delivered to the other end.

The Socket API is presented to programs by the operating system Kernel. Within the Kernel there are steps in the processing of the data traditionally referred to as Layers.

TCP is responsible for ensuring that the data is received by the other end and recovering if some data is corrupted or lost somewhere in the Internet. It maintains a count of bytes sent from one end and a count of bytes successfully received at the other end. The sender must maintain a copy of bytes sent but not yet acknowledged (the “window” of data in transit) so that lost data can be retransmitted until it is successfully received. Data sent is preceded by a “TCP header” with the number assigned to the first byte of data being sent or acknowledged and the port number associated with the program that is the client or server at each end.

IP is responsible for routing data through the internet from the sending computer to the receiving computer. An IP Header containing the IP address of the sender and destination is placed in front of packets containing the TCP Header and program data.

Ethernet is responsible for sending the IP packet from a computer to the router/gateway device that connects each computer to the corporate or campus network or to the network of your Internet Service Provider. Except in special cases, the maximum size of an Ethernet packet is around 1500 bytes. Each LAN adapter has a 6-byte Ethernet ID number, and each packet on the network has an Ethernet Header with the 6-byte ID of the sending adapter and the destination adapter.

The original Ethernet hardware is no longer used, but today the Ethernet standard is emulated by adapters that connect to wires, fiber optic cables, cable TV, WiFi, Bluetooth, the 5G cellphone network, or to Starlink satellites. There are obviously vastly different types of equipment to connect to all these different types of transmission, but the operation to “send this 1500 byte Ethernet packet on the network” is universal and is, therefore, the way that all the different types of networks communicate with each other through gateway modem and router boxes.

Virtual Networks

A Virtual Machine behaves as if it were a computer. It runs an operating system and presents to that OS the appearance of one or more Ethernet network adapters. To simplify things, a VM only sees a simple wired LAN adapter, like the wired “RJ45” port built into every PC sold today.

In datacenters with specialized server hardware, there may be specialized network adapters that communicate directly with many virtual machines. In this case, the VM networks is provided by specialized hardware. However, when you run VMs on your own home or office computer, Windows has to somehow connect both the applications running on the native Windows system and the VMs running on Hyper-V to every type of network adapter that you could choose to plug into your desktop or laptop computer. This includes the LAN adapter on the motherboard, the WiFi card, adapter cards plugged into a PCIe slot, or external adapters connected by USB or Thunderbolt.

In the Kernel, communication from programs to every network adapter goes though device driver support providing the TCP layer process, then the IP layer processing, then the Ethernet layer processing. Once the Ethernet packet is formed, the next step can involve sending the data to a chip on the motherboard, an adapter card, or out the USB connector to hardware that connects to anything.

So, Hyper-V stops at the point where the Ethernet packet has been formed before things get complicated. The Ethernet packet is universal. In the simple case where a VM is talking to a program on the host Windows system, no hardware has to be involved. The Ethernet packet built by a Linux VM can be simply moved in memory to the Windows Kernel, and Ethernet packets built by Windows can be moved in memory to the Linux VM kernel.

Windows has code that turns the host Windows system in to a gateway device for the VMs. Hyper-V always creates a “Default” network to which VMs can be connected, and if that is the only network you define then the VMs can talk to the host computer or the Internet through the Windows host system without any further configuration. However, the Default network does not allow other computers to talk to the VMs.

VMs can be connected to a real LAN adapter so that they appear as real computers on the real network and can communicate with other devices on the network. To do this, an administrator on the Windows host has to select one or more LAN adapters that will either be shared between Windows and the VMs or will be dedicated to the VMs.

If a network adapter is dedicated to one or more VMs, then it is removed from the list of adapters that the Windows applications can see (although the administrator still sees it in the list of devices). Essentially, the Windows Kernel cuts off all of the layers above the Ethernet packet processing for that device. Windows does not provide the socket, TCP, or IP processing.

Meanwhile, in the VM most modern operating systems have a special network device driver that the OS uses when it discovers that it is running in a Hyper-V VM. This Hyper-V VM network adapter supports the socket, TCP, and IP layer processing and stops when the VM has created an Ethernet packet that is ready to be sent out.

Hyper-V provides a service (the “V-bus”) that allows the host Windows Kernel to exchange data with the VMs. Through this service, the Ethernet layer in any VM can send an Ethernet packet to the Windows Kernel, where it is pugged into the Ethernet layer of the real network adapter that was configured to support VM network access. Similarly, Ethernet packets received by the physical network adapter can be sent back to the Ethernet layer of the VM where they move up through the IP, then TCP, then socket layers and are received by the application program running on the VM.

If a physical network adapter on the host Windows system is to be shared between regular Windows applications and also VMs, then when that adapter is prepared by Hyper-V for use by the VMs it is split into two separate “devices”. As in the previous example, on “device” consists of the real adapter starting at the Ethernet packet layer and then proceeding down through the various hardware layers. A separate network adapter is created for use by the Windows applications. It provides the socket, TCP, and IP processing and stops at the Ethernet packet layer. Windows programs can send data through this device, but when the data reaches the Ethernet layer then the packets are transferred inside the Kernel from the “host Windows system network adapter with the top half of the network stack down to and stopping at the Ethernet layer” dummy network adapter to the “host Windows Kernel network adapter bottom half of the network stack starting with Ethernet and going down to the specific real hardware shared between the host system and the VMs” device.

Each VM supervisor (Hyper-V, VMWare, VirtualBox, …) does the same thing, but each has its own way of presenting the three connection options (the Default network where the VMs are isolated inside the host system, a dedicated LAN adapter connected to VMs but not to the host system, or a LAN adapter shared between host applications and VMs).

Hyper-V chooses to present these options through the metaphore of a Virtual Switch. When reading the Hyper-V documentation, it is important to know that Hyper-V doesn’t even try to duplicate the behavior of a real network switch, so you should not assume that this virtual switch behaves in any way like a real switch. It is just an attempt by Microsoft to present the available network configuration options for Virtual Machines while avoiding the real description of Layers of network processing that you have just read.

Hyper-V Virtual Switches

Two physical PCs can be connected to each other by running a simple Ethernet cable between the RJ45 LAN adapter jacks exposed by both machines. This “network” consists of just the two machine cannot be used to access the Internet or anything else.

To connect three or more devices, you need to connect them to a “network switch” device. You can buy them from Amazon or Newegg for (at time or writing) as little as $14. A switch allows every device connected to it to communicate with each other, and if the switch is connected directly or indirectly to a gateway device, they can access the Internet through it.

When you configure a VM in Hyper-V, you can assign it one or more virtual network adapters. Modern operating systems recognize the Hyper-V virtual network adapter as a specific supported device and they have drivers for it.

Hyper-V automatically creates the Default virtual switch. A VM Hyper-V virtual network adapter can be “connected” to the Default switch. Then any network traffic from the VM goes through gateway code in the Windows host system and can access the Internet. However, this gateway logic only supports client programs in the VM and makes them appear to be applications running on the host Windows system. The VMs are hidden from other computers. This is frequently exactly what you want.

Every Hyper-V virtual switch can be connected to any virtual network adapter on any VM. If that is all you do, then the virtual switch is something like buying a $15 physical switch from Amazon and connecting it to unused RJ45 plugs on physical computers you own that presumably get their internet access over WiFi. If the switch is not connected to any gateway, then the computers can use it to exchange data between themselves, but not for anything else.

There are then two things you can do to a Hyper-V virtual switch that make it more interesting. You can connect it to the host Windows application programs and you can connect it to a physical network adapter on the host computer.

This paper has already described both options, but in terms of how they are actually implemented inside the host Windows Kernel by truncating the device driver layers on the physical network device above the Ethernet level and by creating a second dummy network adapter device that has no hardware but supports the socket, TCP, and IP layers above the Ethernet packet layer.

Truncating the upper processing layers and attaching the Ethernet down to the hardware part of a physical Ethernet adapter to a Hyper-V switch changes it to an “External” Hyper-V switch. You can do this when you create the switch or at any time in the future. You can remove an Ethernet adapter from a switch, or you can change which adapter is connected to which switch at any time.

Similarly, at any time you can create a dummy host operating system network adapter that contains only the processing layers down to Ethernet and attach it to any Hyper-V virtual switch.

However

  • You cannot change the Default switch. It is what it is and you leave it alone.

  • You can only have one physical network adapter connected to a switch at any time. You can add an adapter to any switch that doesn’t have one, delete an adapter from any switch that has one, and change the adapter associated with any switch, but there is no provision for two adapters to be connected to the same switch and trying to accomplish this by connecting two switches to a VM with some sort of bridging software will not work. You can connect them to a VM with some router software, but then you are connecting two distinct networks.

  • You can only have one host dummy network adapter connected to a switch at any time.

VLANs

If you don’t know about VLANs or do not use them, ignore this.

Since Hyper-V switches are themselves virtual, you can create as many as you want. The only use for VLANs is when you have a physical network adapter connected to a switch that is connected to a network that not only supports VLANs but where the connection to the adapter is configured as “tagged” (meaning that the adapter can send Ethernet packets with a prefix that selects which VLAN the packet is associated with).

Each VM virtual adapter can be configured with a specific numeric VLAN number, and if the host is sharing use of this physical adapter, then its dummy network adapter connected to the virtual switch can also be assigned a VLAN ID number.

  • No labels