From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [GIT net-next] Open vSwitch Date: Sun, 03 Aug 2014 21:21:31 -0700 (PDT) Message-ID: <20140803.212131.1256448650945676000.davem@davemloft.net> References: <1406851057-1593-1-git-send-email-pshelar@nicira.com> <20140802.151630.929949940730781279.davem@davemloft.net> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org To: pshelar@nicira.com Return-path: Received: from shards.monkeyblade.net ([149.20.54.216]:35041 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750892AbaHDEVd (ORCPT ); Mon, 4 Aug 2014 00:21:33 -0400 In-Reply-To: Sender: netdev-owner@vger.kernel.org List-ID: From: Pravin Shelar Date: Sun, 3 Aug 2014 12:20:32 -0700 > On Sat, Aug 2, 2014 at 3:16 PM, David Miller wrote: >> From: Pravin B Shelar >> Date: Thu, 31 Jul 2014 16:57:37 -0700 >> >>> Following patch adds mask cache so that we do not need to iterate over >>> all entries in mask list on every packet. We have seen good performance >>> improvement with this patch. >> >> How much have you thought about the DoS'ability of openvswitch's >> datastructures? >> > This cache is populated by flow lookup in fast path. The mask cache is > fixed in size. Userspace or number of packets can not change its size. > Memory is statically allocated, no garbage collection. So DoS attack > can not exploit this cache to increase ovs memory footprint. An attacker can construct a packet sequence such that every mask cache lookup misses, making the cache effectively useless.