[ovs-git] [openvswitch/ovs] 617609: ovn: Set critical bit in Geneve option.
noreply at github.com
Wed Aug 17 01:53:03 UTC 2016
Author: Jesse Gross <jesse at kernel.org>
Date: 2016-08-16 (Tue, 16 Aug 2016)
ovn: Set critical bit in Geneve option.
Currently the Geneve option type that OVN uses is 0, which in
Geneve marks this as non-critical. Non-critical means that if a
receiver does not recognize this option, it is free to ignore it
and continue processing the packet.
OVN uses its option to transmit things like input and output port
which are used to enforce security policies and direct packets to
their correct location. If the recipicient of a packet ignored this
information then it would likely be a security hole. This would seem
to qualify the option as critical.
There's no issue in an instance of OVN as currently written - the
receiver will always match on the option data. However, if a
theoretical future version that did not use this option was connected
or a third-party component was introduced then it's possible that this
might be accidentally ignored.
This patch changes the option type used by OVN to include the
critical bit to properly mark the intention. Obviously, this will
cause interoperability issues with any existing deployments but
it should be fine while OVN is still labeled as experimental.
Signed-off-by: Jesse Gross <jesse at kernel.org>
Acked-by: Russell Bryant <russell at ovn.org>
More information about the git