[ovs-dev] OVN: Compromised Chassis Mitigation

Ben Pfaff blp at ovn.org
Thu Mar 16 16:44:36 UTC 2017

Thanks for working on this!  I have a few comments.  To summarize, the
proposals are:

    (1) Eliminate Need for Writes to SB DB by ovn-controller
    (2) Introduce "Trusted Agent" for Writes to SB DB
    (3) Add General-Purpose Transaction ACL Support to ovsdb-server

Regarding (1), I think that we've basically eliminated it, unless
someone comes up with solutions to the unsolved problems.

Regarding (2), I haven't seen much discussion.  I don't know whether
that's because people dislike it or because there's less detail and
therefore less to discuss.  What I like about it is that it seems
inherently more flexible, since we can invent arbitrary semantics that
don't have to be implemented in a general-purpose fashion for the
database.  The downside, of course, is that it isn't easily reusable for
other databases but is OVN-specific.

The issue that you raised with (2), about how ovn-controller might
quickly retry RPCs since it can't immediately see the database updates,
is one that I hadn't thought of before.  I suspect that it could be
mitigated in a reasonable way by rate-limiting the rate at which
ovn-controller retries RPCs.  If that isn't an adequate solution,
though, it might be a trickier issue.

Regarding (3), there's been a ton of discussion.  I think that this
approach is really promising.  I have two concerns.  First, at a high
level, I hope that whatever we design here is something that will be
useful not just for OVN today but for OVN tomorrow, so I hope that we
can think about whether any of the directions we're going are ones that
will require more sophisticated ACLs.  (I don't have a specific problem
in mind there.)  Second, I'm worried about anything that requires
ovn-northd to frequently update ACL rows.  I'd hope, rather, that we can
make the ACLs flexible enough that this is an uncommon case.  The
"owner"/"authorization" direction seems promising for this, to me.

Also, I apologize for getting these comments in only just before the OVN

More information about the dev mailing list