[ovs-discuss] Residual IP/ARP entry after a VM is powered off -> OVS passing unwanted pkts

Luiz Henrique Ozaki luiz.ozaki at gmail.com
Wed Sep 1 12:22:25 UTC 2010


Hello again ! =D

Continuing testing OVS on XS 5.6 I think I found another bug... Or seems so.

By the way, this pre-release came in a great time... I was trying to build
the source from the HEAD yesterday to see if this situation dissapeared (bug
fixed already) but I was getting some problems with packages versions of
autoconf.

Well, here goes:
/etc/init.d/openvswitch version
ovsdb-server (Open vSwitch) 1.1.0pre1
Compiled Sep  1 2010 06:58:14
ovs-vswitchd (Open vSwitch) 1.1.0pre1
Compiled Sep  1 2010 06:58:24
OpenFlow versions 0x1:0x1
ovs-brcompatd (Open vSwitch) 1.1.0pre1
Compiled Sep  1 2010 06:58:24

I had a ping into that IP 10.20.62.100.

*
TCPDUMP FROM A VM (10.20.62.100)
08:24:39.834621 IP x.x.x.x > 10.20.62.100: ICMP echo request, id 1024, seq
56759, length 40
08:24:39.834632 IP 10.20.62.100 > x.x.x.x: ICMP echo reply, id 1024, seq
56759, length 40
08:24:40.834627 IP x.x.x.x > 10.20.62.100: ICMP echo request, id 1024, seq
57271, length 40
08:24:40.834637 IP 10.20.62.100 > x.x.x.x: ICMP echo reply, id 1024, seq
57271, length 40

No problem... All working fine.

In the same Host I boot another VM with
10.20.62.31. And started pinging that too.
.. All good.

Then when I shutdown the VM
10.20.62.31 the other VM in the same Host starts receiving some ping
requests from the other IP.

08:24:45.834609 IP x.x.x.x > 10.20.62.100: ICMP echo request, id 1024, seq
59831, length 40
08:24:45.834619 IP 10.20.62.100 > x.x.x.x: ICMP echo reply, id 1024, seq
59831, length 40
08:24:46.840751 IP x.x.x.x > 10.20.62.100: ICMP echo request, id 1024, seq
60343, length 40
08:24:46.840763 IP 10.20.62.100 > x.x.x.x: ICMP echo reply, id 1024, seq
60343, length 40
08:24:47.390737 IP x.x.x.x > 10.20.62.31: ICMP echo request, id 1024, seq
60599, length 40
08:24:47.835606 IP x.x.x.x > 10.20.62.100: ICMP echo request, id 1024, seq
60855, length 40
08:24:47.835612 IP 10.20.62.100 > x.x.x.x: ICMP echo reply, id 1024, seq
60855, length 40
08:24:48.835579 IP x.x.x.x > 10.20.62.100: ICMP echo request, id 1024, seq
61111, length 40
08:24:48.835586 IP 10.20.62.100 > x.x.x.x: ICMP echo reply, id 1024, seq
61111, length 40
08:24:49.835576 IP x.x.x.x > 10.20.62.100: ICMP echo request, id 1024, seq
61367, length 40
08:24:49.835583 IP 10.20.62.100 > x.x.x.x: ICMP echo reply, id 1024, seq
61367, length 40
08:24:50.835586 IP x.x.x.x > 10.20.62.100: ICMP echo request, id 1024, seq
61623, length 40
08:24:50.835592 IP 10.20.62.100 > x.x.x.x: ICMP echo reply, id 1024, seq
61623, length 40
08:24:51.835583 IP x.x.x.x > 10.20.62.100: ICMP echo request, id 1024, seq
61879, length 40
08:24:51.835590 IP 10.20.62.100 > x.x.x.x: ICMP echo reply, id 1024, seq
61879, length 40
08:24:52.824045 IP x.x.x.x > 10.20.62.31: ICMP echo request, id 1024, seq
62135, length 40
08:24:52.835561 IP x.x.x.x > 10.20.62.100: ICMP echo request, id 1024, seq
62391, length 40
08:24:52.835568 IP 10.20.62.100 > x.x.x.x: ICMP echo reply, id 1024, seq
62391, length 40
08:24:53.835642 IP x.x.x.x > 10.20.62.100: ICMP echo request, id 1024, seq
62647, length 40
08:24:53.835648 IP 10.20.62.100 > x.x.x.x: ICMP echo reply, id 1024, seq
62647, length 40

If I had two or more VMs into that Host, after I shutdown that VM, all the
others starts receiving some packets.

SETUP:
bond nics + VMs in a networked VLAN
HP FLEX-10 Switch
Net card:
The Broadcom BCM57711 10-Gigabit Dual-Port

If I boot this powered off VM in the other hosts, this residual packets
disapear. But When I shut it down, packages starts coming to other VMs.

==== insight ===

Well, while I was writing this,
I've checked all my hosts and this ping packets goes all over the physical
ports, passes to OVS and then to the VMs... Seems a physical switch
problem...


Hmmm... Then goes another question: Shouldn't OVS have blocked these packets
to be sent to all VMs ?

08:54:35.295628 30:37:a6:01:42:44 > 2e:db:bd:66:d1:fa, ethertype IPv4
(0x0800), length 74: x.x.x.x > 10.20.62.31: ICMP echo request, id 1024, seq
698, length 40
08:54:35.295648 30:37:a6:01:42:44 > 2e:db:bd:66:d1:fa, ethertype IPv4
(0x0800), length 74: x.x.x.x > 10.20.62.31: ICMP echo request, id 1024, seq
698, length 40
08:54:35.300448 30:37:a6:01:42:44 > 12:e4:9b:bc:f4:3c, ethertype IPv4
(0x0800), length 74: x.x.x.x > 10.20.62.100: ICMP echo request, id 1024, seq
954, length 40
08:54:35.300454 12:e4:9b:bc:f4:3c > 30:37:a6:01:42:44, ethertype IPv4
(0x0800), length 74: 10.20.62.100 >
x.x.x.x
: ICMP echo reply, id 1024, seq 954, length 40

Afterall, t
his MAC
2e:db:bd:66:d1:fa doesn't exist anymore in the hosts/OVS...

This needed to be solved into the physical switch, but OVS, sending packets
that doesn't belongs to the VMs connected to it seems a bug(imo)... Well, i
don't know if this can be considered a bug in OVS since the problem comes to
the physical switch... But can come from some sort of attack maybe, and OVS
will pass throught.

At least, these packets are only received by the VMs into the same VLAN..
Others VLANs doesn't receive that.


Now, I'm just checking if this is a problem that we should be worried about
or forgotten...


I'll go check with the network team here to dig around the physical switch.

=============

Any more info, debug, etc. please, be welcome.


Best regards,

*
-- 
[]'s
Luiz Henrique Ozaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20100901/a2d5b4fb/attachment-0001.html>


More information about the discuss mailing list