[ovs-discuss] Firewalling with flows

Amir Sadoughi amir.sadoughi at gmail.com
Wed Apr 9 17:58:33 UTC 2014


Hi Justin,

Sorry to revive an old thread. I've recently resumed my work on OpenStack
Neutron to allow for OVS-based security groups. Have you published any
results with your work on OVS and Linux's conntracker?

Thanks,

Amir Sadoughi


On Mon, Dec 16, 2013 at 3:31 PM, Justin Pettit <jpettit at nicira.com> wrote:

>
> On Dec 16, 2013, at 11:24 AM, Amir Sadoughi <amir.sadoughi at gmail.com>
> wrote:
>
> > How would you describe the tradeoffs between the two choices? Is it
> accurate to say reflexive learning is not as performant as it cuts into how
> many flows a megaflow can wildcard, e.g. the less that can be wildcarded,
> the more OVS will have to hit userspace for flows?
>
> Yes.  This is exactly right.  Using the learn action is strictly more
> correct, since it's only allowing return traffic that's in response to
> traffic that was previously seen.  TCP flag matching allows reasonable
> megaflows, but just blocking on the SYN flags isn't as secure, since an
> attacker can get traffic through--they just can't initiate a new
> connection.  However, I do think many hardware switches implement their
> firewalls in just such a manner.
>
> --Justin
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20140409/a4a08190/attachment-0002.html>


More information about the discuss mailing list