[ovs-dev] [v2] proposed OVN port security specification (was: Re: Allowed Address Pairs - OVN)

Ben Pfaff blp at nicira.com
Thu Sep 10 01:51:05 UTC 2015


On Wed, Sep 09, 2015 at 06:23:13PM -0700, Justin Pettit wrote:
> > On Jul 2, 2015, at 5:39 PM, Ben Pfaff <blp at nicira.com> wrote:
> Sorry.  I hadn't realized this was waiting for feedback.

Honestly I figured the next step was to produce a patch rather than a
document.

> >              This column is provided as a convenience to cloud
> >              management systems, but all of the features that it
> >              implements can be implemented as ACLs using the ACL
> >              table.
> 
> This is true, but if "from-host" ACL processing happens after L3, then
> it won't have the benefit of the spoof protection afforded by the ARP
> restrictions.  My guess is that ACL processing will happen before L3,
> but we should keep it in mind.

Good point, I'll be sure to revise that text before implementing this.



More information about the dev mailing list