[ovs-dev] Allowed Address Pairs - OVN

Ben Pfaff blp at nicira.com
Wed Jul 1 17:11:42 UTC 2015


On Wed, Jul 01, 2015 at 11:11:05AM +0300, Gal Sagie wrote:
> As you might know, allowed address pairs in neutron is an extension to
> allow port
> to have more then a pair of MAC-IP addresses assigned to it.
> This is useful for cases of where few VM's need to share virtual MAC/IP,
> like
> for VRRP, Load balancing, NFV use cases and so on...
> (Aaron who implemented it as far as i know can maybe elaborate)
> 
> Its not urgent but i believe that we can support this in Neutron OVN (at
> least for L2)
> By adding all the MAC addresses configured to a certain logical port.
> 
> However, when L3 is going to be introduced, we cant just also add all the
> IP addresses, because security wise this means that a certain IP must be
> assigned to a certain MAC address (please correct me if i am wrong here)
> 
> Just wanted to put this here, so when L3 design is finalized these
> connections
> are also taken care of in OVN for port security.

Where's the spec for allowed address pairs?  It's probably pretty easy
to implement in OVN.

(As an aside, I originally specified OVN port security to be more
general and to handle L2 and L3, but I didn't like what I'd specified
and so I dropped back to something simple and L2-only, with the idea
being that we'd enhance it to match whatever Neutron actually wants
later.  Now is the time, I guess.)



More information about the dev mailing list