[ovs-discuss] match ethertype when packet with multiple vlan tags

Dickens Yeh dickens.yeh at gmail.com
Thu Apr 20 10:58:50 UTC 2017 

Okay, thanks for your response.

2017-04-18 23:49 GMT+08:00 Ben Pfaff <blp at ovn.org>:

> On Tue, Apr 18, 2017 at 10:29:50AM -0400, Eric Garver wrote:
> > On Tue, Apr 18, 2017 at 12:17:17PM +0800, Dickens Yeh wrote:
> > > Thanks for your response.
> > > I know that if I have to match multiple vlan tags, it have to pop the
> outer
> > > vlan.
> > > But I think my question are not the matching vlan tags in multiple
> vlan, my
> > > question is matching the first vlan tag and the correct ethertype that
> > > OpenFlow Spec defined ( the ethertype after all vlan tags ), not the
> case
> > > that match multiple vlan tags in a single flow entry.
> > >
> > > For example, that packet header like
> > > ffffffffffff000000000012 8100 00d0 8060 001080006040001000000000012c0a
> > > 80202000000000000c0a80302
> > > In the view of ethernet, the ethertype should be 8100, that's not a
> problem.
> > > In the view of openflow spec match, the ethertype should be 0806 ( ARP
> ),
> > > the ethertype match after vlan tags
> > > In the view of OVS match, the etherype is 0806, the result is matching
> with
> > > spec.
> > >
> > > Then, if the packet header like
> > > ffffffffffff000000000012 88a8 00c0 8100 00d0 8060
> > > 001080006040001000000000012c0a80202000000000000c0a80302
> > > In the view of ethernet, the ethertype should be 88a8, the same result
> with
> > > one vlan tag.
> > > In the view of openflow spec match, the ethertype should be 0806 ( ARP
> )
> > > In the view of OVS match, the ethertype is 8100, not 0806.
> >
> > This is true if vlan-limit == 1, which is the default.
> > If vlan-limit > 1, then dl_type would be 0x0806. As I indicated earlier,
> > vlan-limit is new with 802.1ad support.
> >
> > > I think the result is strange, but I don't know that it's an issue or
> > > something else.
> >
> > Strange or not, it's this way because OVS used to only support a single
> > VLAN tag. It didn't know how to keep looking for the "true" Ethertype.
>
> It's also a security risk if OVS skips over VLAN tags and indicates the
> innermost Ethertype, because it means that the controller has no way to
> tell that it's forwarding a packet with additional VLANs that might have
> arbitrary semantics to the receivers.  On the other hand, with a VLAN
> Ethertype when the maximum number of VLANs is surpassed, the controller
> can detect and drop such packets.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20170420/dacf8a1e/attachment-0001.html>

More information about the discuss mailing list