[ovs-discuss] Firewalling with flows
Amir Sadoughi
amir.sadoughi at gmail.com
Wed Apr 9 17:58:33 UTC 2014
Hi Justin,
Sorry to revive an old thread. I've recently resumed my work on OpenStack
Neutron to allow for OVS-based security groups. Have you published any
results with your work on OVS and Linux's conntracker?
Thanks,
Amir Sadoughi
On Mon, Dec 16, 2013 at 3:31 PM, Justin Pettit <jpettit at nicira.com> wrote:
>
> On Dec 16, 2013, at 11:24 AM, Amir Sadoughi <amir.sadoughi at gmail.com>
> wrote:
>
> > How would you describe the tradeoffs between the two choices? Is it
> accurate to say reflexive learning is not as performant as it cuts into how
> many flows a megaflow can wildcard, e.g. the less that can be wildcarded,
> the more OVS will have to hit userspace for flows?
>
> Yes. This is exactly right. Using the learn action is strictly more
> correct, since it's only allowing return traffic that's in response to
> traffic that was previously seen. TCP flag matching allows reasonable
> megaflows, but just blocking on the SYN flags isn't as secure, since an
> attacker can get traffic through--they just can't initiate a new
> connection. However, I do think many hardware switches implement their
> firewalls in just such a manner.
>
> --Justin
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20140409/a4a08190/attachment-0002.html>
More information about the discuss
mailing list