[ovs-dev] [PATCH 2/2] secchan: Better tolerate failing controller admission control in fail-open.

Jesse Gross jesse at nicira.com
Tue Sep 15 02:21:20 UTC 2009

Ben Pfaff wrote:
> Jesse Gross <jesse at nicira.com> writes:
>> The code itself looks fine but I wonder if this is the best way to
>> accomplish the goal.  Essentially we want to ping the controller with
>> a packet-in after connection to see if we passed admission control.
>> This does that by forcing all flow setups to the controller and not
>> removing the fail open rule until we get some kind of real response.
>> Instead of doing this ping with real flow setups do you think it might
>> be easier to synthesize a fake flow setup that acts purely as a ping?
> That's a great idea.  It would be much simpler.
> Do you have an idea for a "harmless" packet to send though?  I'm
> concerned that we could send out a packet that either would
> confuse the controller ("WTF is that?  I don't know anything
> about that MAC address!") or that it would just ignore and not
> reply to.
> Here's a thought.  When we're in in-band control mode we could
> always synthesize a packet from the switch to the controller,
> since we know that has to work properly.  Maybe an ARP, or maybe
> we could pick a protocol from the Nicira OUI.
> I guess maybe the risk of the controller ignoring the packet
> entirely is low, since that's a bad way to implement a
> controller.  Maybe we could then just pick a Nicira OUI protocol,
> regardless of whether we're in-band, and using it as a probe
> packet.

I agree, ignoring packets completely seems like a bad decision on 
controller's part.  It is technically allowed according to the spec if 
the controller wants all packets to be sent to it and is too lazy to 
install a CONTROLLER rule.  However in this case neither mechanism will 

I think probably sending something from the switch to the controller 
using a Nicira OUI protocol is about as good as anything else.  The only 
other thing that I can think of is saving a packet from a previous flow 
and replaying that as the probe packet.  However, that is more work for 
something that is of marginal benefit and has it's own set of problems.

More information about the dev mailing list