![[*]](/file/17320/Turnbull China Bikeride - Disc 2.iso/BARNET/GNU/PROJECT/HURD6/crossref.png)
.
Here, the rectangles represent Clans and the circles represent
tasks. The thick arrow represents the message that is sent and
the thin arrows represent the messages which are actually passed.
The primary purpose of microkernels that are designed as bases for multi-server style operating systems is efficient and secure message-passing.
Mach and L4 have two significant differences between their IPC methods. First, Mach uses asynchronous message passing, which means that the kernel must buffer data (potentially large quantities of it). L4 uses synchronous message passing which involves much less work for the kernel.
Secondly, Mach has a centralised structure for security, where the kernel enforces the `send rights' through a mechanism known as ports. L4 distributes security to external tasks through a mechanism known as clans. This is first discussed in [#!clans!#].
Tasks are organised into Clans with Chiefs. Within a Clan,
the only protection is that imposed by the individual task
based on the sender's ID (which is enforced by the microkernel)
but between Clans, each Clan boundary that the message crosses
incurs inspection and possible rejection by the Clan Chief.
Clans are nestable, so a hierarchy of protection can be built.
An example of message transmission is shown in Figure .
Here, the rectangles represent Clans and the circles represent
tasks. The thick arrow represents the message that is sent and
the thin arrows represent the messages which are actually passed.
In a centralised system, the kernel is responsible for administering port rights which adds significant overhead to IPC calls. This conflicts directly with the requirement that IPC be fast. Additionally, it is philosophically superior since the point of a microkernel is to remove as many features as possible from kernel space. It does not harm speed when communication is intra-clan and simply multiplies the time taken by the number of clans traversed when communication is inter-clan. It should also scale better than an in-kernel regulated protection scheme since the protection mechanisms may be chosen on an arbitrary basis and changed arbitrarily frequently without requiring communication with the kernel. Transparent multiple node communication may be achieved using the clan mechanism since the task sees no difference between communicating with a task on a different machine and a task on the same machine in a different clan. In either case, the message is intercepted and potentially modified by the clan's chief.