[ovs-discuss] Upcall to userspace threading question

Scott Daniels daniels at research.att.com
Fri Jun 12 12:29:28 UTC 2015


Currently flow setup is done in a round-robin manner based on port to 
prevent the possibility of a denial of service attack.  However, in a 
situation where all GRE tunnels terminate on a single port (specifically 
in the case of an L3 node under Openstack) it seems to make sense to 
further split the flow setup from a single port to prevent the 
possibility of a similar DoS attack that affects the GRE traffic.

Has this split been considered, and if so are there reasons that it 
wasn't implemented?


Somewhat related, when an action list contains a sample action it causes 
the packet to be cloned and sent to userspace. The way I read it the 
samples share the same upcall path as flow setup upcalls. Given that 
sampling would be pushing larger packets into the upcall path, compared 
to SYNs during flow setup, I assume that if the sampling rate were too 
aggressive that this could lead to a full upcall queue which would have 
a negative impact on other traffic.

Has there been any thought given to splitting the sampling upcalls from 
the rest of the upcall "traffic?"


Thanks,
Scott


------------------------------------------------------------------------
E. Scott Daniels
PMTS - Cloud Software Research
AT&T Labs - Research
daniels AT research.att.com




More information about the discuss mailing list