[ovs-dev] Allowed Address Pairs - OVN
Ben Pfaff
blp at nicira.com
Wed Jul 1 17:47:38 UTC 2015
On Wed, Jul 01, 2015 at 12:25:58PM -0500, Kyle Mestery wrote:
> On Wed, Jul 1, 2015 at 12:11 PM, Ben Pfaff <blp at nicira.com> wrote:
> > Where's the spec for allowed address pairs? It's probably pretty easy
> > to implement in OVN.
> >
> The API developer documentation is here [1]. The BP with a link to a google
> doc (this was implemented in 2013) is here [2].
>
> [1]
> http://specs.openstack.org/openstack/neutron-specs/specs/api/allowed_address_pairs.html
> [2] https://blueprints.launchpad.net/neutron/+spec/allowed-address-pairs
It's not as explicit about the meaning as I would like. Is the
following correct?
A packet is allowed if one of the following is true:
1. Its MAC address is 'mac_address' and, if it is an IP packet, its
IP address is one of those in 'fixed_ips'.
2. Its MAC address is in 'allowed_address_pairs' and, if it is an IP
packet, its IP address is in the same 'allowed_address_pairs'
pair.
How is IPv6 handled? I suppose that 'fixed_ips' and the 'ip_address'
part of an 'allowed_address_pairs' pair can be an IPv6?
What happens to an IPv6 packet if 'mac_address' matches but 'fixed_ips'
only lists IPv4 addresses? Conversely, what happens to an IPv4 packet
if 'mac_address' matches but 'fixed_ips' only lists IPv6 addresses?
Are ARP packets supposed to have their inner IPv4 and MAC addresses
filtered by these rules? How about IPv6 ND packets?
(All of the possibilities above, in either direction, are implementable
in OVN, but I didn't know what precedent had been set in Neutron or
whether that precedent was set for good reason or for convenience, so
I've only implemented L2 port security so far.)
Thanks a lot; this is a discussion I've been meaning to have for a
while.
More information about the dev
mailing list