lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20111128231424.GT3003@nicira.com>
Date:	Mon, 28 Nov 2011 15:14:24 -0800
From:	Ben Pfaff <blp@...ira.com>
To:	Jamal Hadi Salim <jhs@...atatu.com>
Cc:	Herbert Xu <herbert@...dor.apana.org.au>, dev@...nvswitch.org,
	netdev@...r.kernel.org, David Miller <davem@...emloft.net>
Subject: Re: [ovs-dev] [GIT PULL v2] Open vSwitch

On Mon, Nov 28, 2011 at 05:21:13PM -0500, Jamal Hadi Salim wrote:
> On Mon, 2011-11-28 at 08:01 -0800, Ben Pfaff wrote:
> 
> > Regarding OpenFlow rate limiting, in addition to Martin's response, Open
> > vSwitch has implemented controller rate limiting since day one.  It is
> > documented in ovs-vswitchd.conf.db(5):
> 
> Ok, I think thats a good start. My experience says just rate limiting
> may not be sufficient - unless the rate limiting is adaptive in some
> form; or just use strict prio where you let the exception traffic
> rot if you have other work - maybe thats what Martin was talking 
> about.
> 
> The problem is more in the outbound towards the external controller.
> You dont have multiple queues (given a single TCP socket) and config,
> events, and exception packets are all shared in one queue.

I believe that Martin's point was that production controllers don't
usually get any packets to the controller at all, because they
configure the flow table to handle or drop all traffic.  Individual
flow table entries can direct traffic to the controller (subject
optionally to both Open vSwitch rate limiting of packets to the
controller and to any QoS policy for the controller connection), and
some controllers might use this feature to direct specific types of
traffic (e.g. LLDP) to the controller.

Open vSwitch doesn't limit a controller to a single OpenFlow TCP
connection.  A controller can set up multiple OpenFlow connections to
a single OVS bridge, use one of them for receiving packets, and use
the others for other purposes.  I don't know whether anyone does this,
because keeping the amount of traffic sent to the controller to a
minimum is effective in practice.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ