[ovs-dev] OVN: Compromised Chassis Mitigation
Ben Pfaff
blp at ovn.org
Thu Mar 16 16:44:36 UTC 2017
Thanks for working on this! I have a few comments. To summarize, the
proposals are:
(1) Eliminate Need for Writes to SB DB by ovn-controller
(2) Introduce "Trusted Agent" for Writes to SB DB
(3) Add General-Purpose Transaction ACL Support to ovsdb-server
Regarding (1), I think that we've basically eliminated it, unless
someone comes up with solutions to the unsolved problems.
Regarding (2), I haven't seen much discussion. I don't know whether
that's because people dislike it or because there's less detail and
therefore less to discuss. What I like about it is that it seems
inherently more flexible, since we can invent arbitrary semantics that
don't have to be implemented in a general-purpose fashion for the
database. The downside, of course, is that it isn't easily reusable for
other databases but is OVN-specific.
The issue that you raised with (2), about how ovn-controller might
quickly retry RPCs since it can't immediately see the database updates,
is one that I hadn't thought of before. I suspect that it could be
mitigated in a reasonable way by rate-limiting the rate at which
ovn-controller retries RPCs. If that isn't an adequate solution,
though, it might be a trickier issue.
Regarding (3), there's been a ton of discussion. I think that this
approach is really promising. I have two concerns. First, at a high
level, I hope that whatever we design here is something that will be
useful not just for OVN today but for OVN tomorrow, so I hope that we
can think about whether any of the directions we're going are ones that
will require more sophisticated ACLs. (I don't have a specific problem
in mind there.) Second, I'm worried about anything that requires
ovn-northd to frequently update ACL rows. I'd hope, rather, that we can
make the ACLs flexible enough that this is an uncommon case. The
"owner"/"authorization" direction seems promising for this, to me.
Also, I apologize for getting these comments in only just before the OVN
meeting.
More information about the dev
mailing list