| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 30 Aug 2017 11:36:17 +0000
From: "Mooney, Sean K" <sean.k.mooney@...el.com>
To: Hannes Frederic Sowa <hannes@...essinduktion.org>,
"Yang, Yi Y" <yi.y.yang@...el.com>
CC: "dev@...nvswitch.org" <dev@...nvswitch.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"jbenc@...hat.com" <jbenc@...hat.com>, "e@...g.me" <e@...g.me>,
"Mooney, Sean K" <sean.k.mooney@...el.com>
Subject: RE: [ovs-dev] [PATCH net-next v6 3/3] openvswitch: enable NSH
support
> -----Original Message-----
> From: ovs-dev-bounces@...nvswitch.org [mailto:ovs-dev-
> bounces@...nvswitch.org] On Behalf Of Hannes Frederic Sowa
> Sent: Wednesday, August 30, 2017 10:53 AM
> To: Yang, Yi Y <yi.y.yang@...el.com>
> Cc: dev@...nvswitch.org; netdev@...r.kernel.org; jbenc@...hat.com;
> e@...g.me
> Subject: Re: [ovs-dev] [PATCH net-next v6 3/3] openvswitch: enable NSH
> support
>
> Hello,
>
> Yi Yang <yi.y.yang@...el.com> writes:
>
> [...]
>
> > +struct ovs_key_nsh {
> > + u8 flags;
> > + u8 ttl;
> > + u8 mdtype;
> > + u8 np;
> > + __be32 path_hdr;
> > + __be32 context[NSH_MD1_CONTEXT_SIZE]; };
> > +
> > struct sw_flow_key {
> > u8 tun_opts[IP_TUNNEL_OPTS_MAX];
> > u8 tun_opts_len;
> > @@ -144,6 +154,7 @@ struct sw_flow_key {
> > };
> > } ipv6;
> > };
> > + struct ovs_key_nsh nsh; /* network service header */
> > struct {
> > /* Connection tracking fields not packed above. */
> > struct {
>
> Does it makes sense to keep the context headers as part of the flow?
> What is the reasoning behind it? With mdtype 2 headers this might
> either not work very well or will increase sw_flow_key size causing
> slowdowns for all protocols.
[Mooney, Sean K]
Having the nsh context headers in the flow is quite useful
It would allow loadblancing on values stored in the context headers
Or other use. I belive odl previously used context header 4 to store a
Flow id so this could potentialy be used with the multipath action to have ovs
Choose between several possible next hops in the chain.
Another example of where this is usefull is branching chains.
if I assume that both the classifier and
Service function forwarder are collocated in ovs on the host, and is send
A packet to a firewall service function which tags the packet as suspicious
Via setting a context header metadata field to 1, I as the sdn controller can
Install a high priority rule that will reclassify the packet as part of as separate
Service function chain the will prefer dpi on the packet before returning it to
The original chain if demand not a threat.
So while a sff dose not in general have to be able to match on the context header
If I assume I want to use ovs to implenet a classifier or service function(e.g. loadblancer)
The its desirable to be able to both match on the context headers in md type1 and also be able
To set them(this is something classifies and service fuction are allowed to do).
>
> [...]
> _______________________________________________
> dev mailing list
> dev@...nvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Powered by blists - more mailing lists