[ovs-dev] [PATCH 0/3] ovn: Make the ARP/ND more secure.

nickcooper-zhangtonghao nickcooper-zhangtonghao at opencloud.tech
Tue Aug 23 10:41:36 UTC 2016


IPv6 defines an NUD mechanism that can help determine quickly whether
neighbors have disconnected or gone down. The OVN uses the same mechanism
for both IPv4 and IPv6. According to Section 7.3.2 in RFC 2461, A Neighbor
Cache entry should be in one of five states: INCOMPLETE, REACHABLE, STALE,
DELAY, PROBE. The OVN supports only INCOMPLETE, REACHABLE, PROBE in this patch.

You can find more information in RFC 2461 section 7.3.2.

* The logical routers use a cache to store the ARP/NS requests and set their
state INCOMPLETE. Only when logical routers get a corresponding ARP/NS reply,
will the "ovn-controller" update the cache and set their state NUD_REACHABLE.

* More than ReachableTime milliseconds have elapsed since the last positive
confirmation was received that the forward path was functioning properly.
If no reachability confirmation is received within NEIGHBOUR_REACHABLE_TIME
seconds, send a Neighbor Solicitation and change the state to PROBE.

* According to Section 4.6 in RFC 5944, we should update the MAC address of existing
entries in the case of gratuitous ARP.

nickcooper-zhangtonghao (3):
  ovn: Don't learn from unrequested ARP replies.
  ovn: Don't learn from ND packets.
  ovn: update manpage, ovn-sb.xml

 include/ovn/actions.h           |   7 +
 ovn/controller/ovn-controller.c |   2 +-
 ovn/controller/pinctrl.c        | 356 +++++++++++++++++++++++++++++-----------
 ovn/controller/pinctrl.h        |   2 +-
 ovn/lib/actions.c               |  29 +++-
 ovn/lib/automake.mk             |   1 +
 ovn/northd/ovn-northd.c         |  84 +++++++---
 ovn/ovn-sb.xml                  |  39 +++++
 ovn/utilities/ovn-trace.c       |  25 +++
 9 files changed, 423 insertions(+), 122 deletions(-)

-- 
1.8.3.1




More information about the dev mailing list