[ovs-discuss] ovn icmp reply part 2: how should it handle broadcast destination address?

Justin Pettit jpettit at ovn.org
Wed Jun 8 19:43:18 UTC 2016


> On Jun 8, 2016, at 11:42 AM, Flaviof <flavio at flaviof.com> wrote:
> 
> On Wed, Jun 8, 2016 at 2:10 PM, Darrell Ball <dlu998 at gmail.com> wrote:
> 
> On Wed, Jun 8, 2016 at 6:38 AM, Flaviof <flavio at flaviof.com> wrote:
> 
> As a continuation of the topic on ICMP reply rules [ml], I could not help but notice that in the logical flow, there is a match not only for the logical routers's IP address but also for the L3 broadcast (op->bcast) of the subnet [1]. So I -- the curious cat --  had to try it out. ;)
> 
>> It is common to not respond to directed broadcast by default and enable it only by configuration;
>> adding configuration ability for this would be an added requirement with dubious value.
>> The reasons are obviously related to DOS.
>> It may be here by default for special and/or historical reasons in NSX or Openstack.
>> Unless there is some "extra specialness" usage or above historical reasons, I would
>> say the disadvantages outweigh the meager advantages of responding to directed broadcasts.
>>  
>>> Make sense; and I agree. I'll propose the simplification in ovs-dev and bring this up in the
>>> OVN meeting tomorrow (Jun/9); to see if anybody has a diverging opinion and/or suggestion.

Coincidentally, over the weekend, I also noticed that we were responding to broadcast pings.  I was planning to send a patch to disable this behavior due to DOS concerns.  (I agree with Darrell that it's not worth providing a configuration option at this time.)  Let's confirm at the OVN meeting tomorrow, but if no one objects, I think it makes sense.  Did you want to prepare the patch?

--Justin





More information about the discuss mailing list