[ovs-dev] [GIT PULL v2] Open vSwitch

Martin Casado casado at nicira.com
Mon Nov 28 15:27:22 UTC 2011


>> However, what's more worrying for me right now is the gaping
>> DoS opportunities that exist in the patch as is.
>>
>> In particular, the whole design principle of punting all new
>> flows to user-space is an excellent way of attacking the system.
> Indeed this is an issue with openflow in general.
> The general solution is to rate limit how much goes to the controller
> but even that is insufficient.
>
This is a common misunderstanding about OpenFlow.  It does not require 
the first packet of each flow to go to the controller.  In fact, no 
production system I'm aware of does this.  Generally OpenFlow-based 
solutions targeted at large environments (e.g. data center, or WAN)  
send only traditional control traffic to the controller (e.g. BGP or 
OSPF), or none at all.
.martin

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Martin Casado
Nicira Networks, Inc.
www.nicira.com
cell: 650-776-1457
~~~~~~~~~~~~~~~~~~~~~~~~~~~




More information about the dev mailing list