[ovs-dev] [v2] proposed OVN port security specification (was: Re: Allowed Address Pairs - OVN)
Ben Pfaff
blp at nicira.com
Thu Sep 10 18:55:12 UTC 2015
I posted a patch (it still is just a proposal, no code):
http://openvswitch.org/pipermail/dev/2015-September/059861.html
On Wed, Sep 09, 2015 at 06:51:05PM -0700, Ben Pfaff wrote:
> On Wed, Sep 09, 2015 at 06:23:13PM -0700, Justin Pettit wrote:
> > > This column is provided as a convenience to cloud
> > > management systems, but all of the features that it
> > > implements can be implemented as ACLs using the ACL
> > > table.
> >
> > This is true, but if "from-host" ACL processing happens after L3, then
> > it won't have the benefit of the spoof protection afforded by the ARP
> > restrictions. My guess is that ACL processing will happen before L3,
> > but we should keep it in mind.
>
> Good point, I'll be sure to revise that text before implementing this.
I didn't know how to rephrase it so I left it as-is.
More information about the dev
mailing list