| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4ED3A85A.1030003@nicira.com> Date: Mon, 28 Nov 2011 07:27:22 -0800 From: Martin Casado <casado@...ira.com> To: Jamal Hadi Salim <jhs@...atatu.com> CC: Herbert Xu <herbert@...dor.apana.org.au>, dev@...nvswitch.org, netdev@...r.kernel.org, David Miller <davem@...emloft.net> Subject: Re: [ovs-dev] [GIT PULL v2] Open vSwitch >> However, what's more worrying for me right now is the gaping >> DoS opportunities that exist in the patch as is. >> >> In particular, the whole design principle of punting all new >> flows to user-space is an excellent way of attacking the system. > Indeed this is an issue with openflow in general. > The general solution is to rate limit how much goes to the controller > but even that is insufficient. > This is a common misunderstanding about OpenFlow. It does not require the first packet of each flow to go to the controller. In fact, no production system I'm aware of does this. Generally OpenFlow-based solutions targeted at large environments (e.g. data center, or WAN) send only traditional control traffic to the controller (e.g. BGP or OSPF), or none at all. .martin -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Martin Casado Nicira Networks, Inc. www.nicira.com cell: 650-776-1457 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists