[ovs-dev] [PATCH v2 1/2] ovn: ND security vulnerability.

Justin Pettit jpettit at ovn.org
Fri Aug 19 07:28:48 UTC 2016


> On Aug 18, 2016, at 8:46 AM, nickcooper-zhangtonghao <nickcooper-zhangtonghao at opencloud.tech> wrote:
> 
> The the logical routers will populate the logical router's ND table when
> receiving the NS/ND packets. If we continue to send ND advertisements or
> solicitations to logical router, the MAC_Binding table will continue to
> increase. That may reduce system performance and cause instability and crashes.
> 
> So,
> 1. When logical router receive a neighbor advertisements, we should check the
>   packet's "ip6.dst" and "ip6.src".
> 2. The logical router uses a cache to store the neighbor solicitations which
>   router sends. Only when logical routers send a neighbor solicitations,
>   and get a corresponding neighbor advertisements, will the 'ovn-controller'
>   update MAC_Binding table of SB database.

I assume some of my comments from the previous patch will apply here, so I'll wait to review it for a v3.

Thanks,

--Justin





More information about the dev mailing list