From mboxrd@z Thu Jan 1 00:00:00 1970 From: Martin Casado Subject: Re: [GIT PULL v2] Open vSwitch Date: Mon, 28 Nov 2011 07:27:22 -0800 Message-ID: <4ED3A85A.1030003@nicira.com> References: <20111123075433.GA7928@gondor.apana.org.au> <1322050976.2039.125.camel@mojatatu> <20111128130409.GB16828@gondor.apana.org.au> <1322488954.7338.66.camel@mojatatu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Cc: dev-yBygre7rU0TnMu66kgdUjQ@public.gmane.org, netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Herbert Xu , David Miller To: Jamal Hadi Salim Return-path: In-Reply-To: <1322488954.7338.66.camel@mojatatu> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dev-bounces-yBygre7rU0TnMu66kgdUjQ@public.gmane.org Errors-To: dev-bounces-yBygre7rU0TnMu66kgdUjQ@public.gmane.org List-Id: netdev.vger.kernel.org >> However, what's more worrying for me right now is the gaping >> DoS opportunities that exist in the patch as is. >> >> In particular, the whole design principle of punting all new >> flows to user-space is an excellent way of attacking the system. > Indeed this is an issue with openflow in general. > The general solution is to rate limit how much goes to the controller > but even that is insufficient. > This is a common misunderstanding about OpenFlow. It does not require the first packet of each flow to go to the controller. In fact, no production system I'm aware of does this. Generally OpenFlow-based solutions targeted at large environments (e.g. data center, or WAN) send only traditional control traffic to the controller (e.g. BGP or OSPF), or none at all. .martin -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Martin Casado Nicira Networks, Inc. www.nicira.com cell: 650-776-1457 ~~~~~~~~~~~~~~~~~~~~~~~~~~~