[ovs-discuss] ovn icmp reply part 2: how should it handle broadcast destination address?

Flaviof flavio at flaviof.com
Wed Jun 8 20:00:22 UTC 2016


On Wed, Jun 8, 2016 at 3:43 PM, Justin Pettit <jpettit at ovn.org> wrote:

>
> > On Jun 8, 2016, at 11:42 AM, Flaviof <flavio at flaviof.com> wrote:
> >
> > On Wed, Jun 8, 2016 at 2:10 PM, Darrell Ball <dlu998 at gmail.com> wrote:
> >
> > On Wed, Jun 8, 2016 at 6:38 AM, Flaviof <flavio at flaviof.com> wrote:
> >
> > As a continuation of the topic on ICMP reply rules [ml], I could not
> help but notice that in the logical flow, there is a match not only for the
> logical routers's IP address but also for the L3 broadcast (op->bcast) of
> the subnet [1]. So I -- the curious cat --  had to try it out. ;)
> >
> >> It is common to not respond to directed broadcast by default and enable
> it only by configuration;
> >> adding configuration ability for this would be an added requirement
> with dubious value.
> >> The reasons are obviously related to DOS.
> >> It may be here by default for special and/or historical reasons in NSX
> or Openstack.
> >> Unless there is some "extra specialness" usage or above historical
> reasons, I would
> >> say the disadvantages outweigh the meager advantages of responding to
> directed broadcasts.
> >>
> >>> Make sense; and I agree. I'll propose the simplification in ovs-dev
> and bring this up in the
> >>> OVN meeting tomorrow (Jun/9); to see if anybody has a diverging
> opinion and/or suggestion.
>
> Coincidentally, over the weekend, I also noticed that we were responding
> to broadcast pings.  I was planning to send a patch to disable this
> behavior due to DOS concerns.  (I agree with Darrell that it's not worth
> providing a configuration option at this time.)  Let's confirm at the OVN
> meeting tomorrow, but if no one objects, I think it makes sense.  Did you
> want to prepare the patch?
>
>
Hi Justin,

I just pushed the patch to ovs-dev [1]. There is little room for messing
that up, but then again
that is often when I do. ;)

Just for the fun of it, I will have a patch with option C (splitting the
logical rule into 2) in standby; in
case folks scream at my simplification and/or accuse me of being lazy.

Thanks,

-- flaviof

[1]: https://patchwork.ozlabs.org/patch/632474/





> --Justin
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20160608/a8cbc2ff/attachment-0002.html>


More information about the discuss mailing list