[ovs-discuss] ovn icmp reply part 2: how should it handle broadcast destination address?
Justin Pettit
jpettit at ovn.org
Wed Jun 8 19:43:18 UTC 2016
> On Jun 8, 2016, at 11:42 AM, Flaviof <flavio at flaviof.com> wrote:
>
> On Wed, Jun 8, 2016 at 2:10 PM, Darrell Ball <dlu998 at gmail.com> wrote:
>
> On Wed, Jun 8, 2016 at 6:38 AM, Flaviof <flavio at flaviof.com> wrote:
>
> As a continuation of the topic on ICMP reply rules [ml], I could not help but notice that in the logical flow, there is a match not only for the logical routers's IP address but also for the L3 broadcast (op->bcast) of the subnet [1]. So I -- the curious cat -- had to try it out. ;)
>
>> It is common to not respond to directed broadcast by default and enable it only by configuration;
>> adding configuration ability for this would be an added requirement with dubious value.
>> The reasons are obviously related to DOS.
>> It may be here by default for special and/or historical reasons in NSX or Openstack.
>> Unless there is some "extra specialness" usage or above historical reasons, I would
>> say the disadvantages outweigh the meager advantages of responding to directed broadcasts.
>>
>>> Make sense; and I agree. I'll propose the simplification in ovs-dev and bring this up in the
>>> OVN meeting tomorrow (Jun/9); to see if anybody has a diverging opinion and/or suggestion.
Coincidentally, over the weekend, I also noticed that we were responding to broadcast pings. I was planning to send a patch to disable this behavior due to DOS concerns. (I agree with Darrell that it's not worth providing a configuration option at this time.) Let's confirm at the OVN meeting tomorrow, but if no one objects, I think it makes sense. Did you want to prepare the patch?
--Justin
More information about the discuss
mailing list