[ovs-dev] [PATCH 2/2] secchan: Better tolerate failing controller admission control in fail-open.

Ben Pfaff blp at nicira.com
Tue Sep 15 00:02:24 UTC 2009


Jesse Gross <jesse at nicira.com> writes:

> The code itself looks fine but I wonder if this is the best way to
> accomplish the goal.  Essentially we want to ping the controller with
> a packet-in after connection to see if we passed admission control.
> This does that by forcing all flow setups to the controller and not
> removing the fail open rule until we get some kind of real response.
> Instead of doing this ping with real flow setups do you think it might
> be easier to synthesize a fake flow setup that acts purely as a ping?

That's a great idea.  It would be much simpler.

Do you have an idea for a "harmless" packet to send though?  I'm
concerned that we could send out a packet that either would
confuse the controller ("WTF is that?  I don't know anything
about that MAC address!") or that it would just ignore and not
reply to.

Here's a thought.  When we're in in-band control mode we could
always synthesize a packet from the switch to the controller,
since we know that has to work properly.  Maybe an ARP, or maybe
we could pick a protocol from the Nicira OUI.

I guess maybe the risk of the controller ignoring the packet
entirely is low, since that's a bad way to implement a
controller.  Maybe we could then just pick a Nicira OUI protocol,
regardless of whether we're in-band, and using it as a probe
packet.

I'll work on this.

Thoughts?




More information about the dev mailing list