[ovs-dev] [PATCH v2 1/2] ovn: ND security vulnerability.
Justin Pettit
jpettit at ovn.org
Fri Aug 19 07:28:48 UTC 2016
> On Aug 18, 2016, at 8:46 AM, nickcooper-zhangtonghao <nickcooper-zhangtonghao at opencloud.tech> wrote:
>
> The the logical routers will populate the logical router's ND table when
> receiving the NS/ND packets. If we continue to send ND advertisements or
> solicitations to logical router, the MAC_Binding table will continue to
> increase. That may reduce system performance and cause instability and crashes.
>
> So,
> 1. When logical router receive a neighbor advertisements, we should check the
> packet's "ip6.dst" and "ip6.src".
> 2. The logical router uses a cache to store the neighbor solicitations which
> router sends. Only when logical routers send a neighbor solicitations,
> and get a corresponding neighbor advertisements, will the 'ovn-controller'
> update MAC_Binding table of SB database.
I assume some of my comments from the previous patch will apply here, so I'll wait to review it for a v3.
Thanks,
--Justin
More information about the dev
mailing list