The developers of the wolfSSL cryptographic library are developing the wolfIP TCP/IP stack, optimized for use on resource-constrained embedded devices, as well as for real-time systems and safety-critical applications. To ensure predictable resource consumption, wolfIP does not use dynamic memory allocation—all buffers and socket tables have a fixed size and are configured at compile time. The project's code is written in C and distributed under the GPLv3 license.
The project can be used as a user-space TCP/IP stack replacement for the Linux, FreeBSD, and macOS networking stack, and is also suitable for embedded systems based on FreeRTOS, SafeRTOS, Zephyr, Azure RTOS ThreadX, NuttX, RTEMS, VxWorks, and QNX. Furthermore, wolfIP can be used to create self-contained bare-metal network applications. When combined with the wolfSSL library, it provides support for TLS 1.3, enabling the creation of compact embedded systems that support HTTPS.
Key features of wolfIP:
- Use of pre-allocated buffers in static memory when processing network packets. Malloc and free calls are not used.
- Can be used instead of standard system network stacks on POSIX systems.
- Support for BSD sockets in non-blocking and blocking mode.
- Compact size (4200 lines of code, 4 times smaller than the lwIP TCP/IP stack).
- Support for STM32 Ethernet network interfaces.
- Possibility of using TAP network interface for testing work without equipment.
- Development with an eye on systems with increased security requirements: deterministic and reproducible configuration; a deployment model that ensures security (Secure-by-default); isolation between components. Support for secure version upgrades; long-term maintenance.
- Taking into account the requirements for highly reliable systems: no dynamic resource allocation; fixed memory pools; controlled resource usage; predictable behavior; simplified architecture; support for generating artifacts for verification.
- Implementation of IPv4, UDP, TCP, IPSEC, ARP, ICMP, DHCP client, DNS client, and HTTP/HTTPS server. Support in the TCP implementation of RFC 7323 (TCP Timestamps, RTT measurement, PAWS, Window Scaling), MSS (Maximum Segment Size), RTO (Retransmission Timeout), and SACK (Selective Acknowledgment). Several congestion control algorithms.
One of the limitations of wolfIP is that wolfIP can only be used as an end node, capable of accepting and establishing connections, but does not support routing traffic between network interfaces.
Additionally, Red Hat employees are actively developing a similar TCP/IP stack, passt, which operates in user space and does not use dynamic memory allocation. The passt project is being developed to establish a communication channel between the host environment and guest systems in QEMU as a more secure replacement for libslirp. The passt code is written in C, contains approximately 5000 lines, and is distributed under the GPLv2+ license.
Some of the features of passt include: IPv6 support In addition to IPv4, optimizations based on AVX2 instructions, protection against synflood, built-in support for QEMU, libvirt and Podman, packages for all popular distributions, ARP proxy service, minimalistic DHCPD, DHCPv6 and NDP servers, seccomp profile for blocking all unused system calls, NAT support, the ability to use as a transparent replacement for slirp4netns.
Source: opennet.ru
