[ovs-dev] [GIT PULL v2] Open vSwitch
casado at nicira.com
Mon Nov 28 15:27:22 UTC 2011
>> However, what's more worrying for me right now is the gaping
>> DoS opportunities that exist in the patch as is.
>> In particular, the whole design principle of punting all new
>> flows to user-space is an excellent way of attacking the system.
> Indeed this is an issue with openflow in general.
> The general solution is to rate limit how much goes to the controller
> but even that is insufficient.
This is a common misunderstanding about OpenFlow. It does not require
the first packet of each flow to go to the controller. In fact, no
production system I'm aware of does this. Generally OpenFlow-based
solutions targeted at large environments (e.g. data center, or WAN)
send only traditional control traffic to the controller (e.g. BGP or
OSPF), or none at all.
Nicira Networks, Inc.
More information about the dev