lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20121113132842.2414d381@nehalam.linuxnetplumber.net>
Date:	Tue, 13 Nov 2012 13:28:42 -0800
From:	Stephen Hemminger <shemminger@...tta.com>
To:	David L Stevens <dlstevens@...ibm.com>
Cc:	David Miller <davem@...emloft.net>, netdev@...r.kernel.org
Subject: Re: [PATCH net-next] add DOVE extensions for VXLAN

On Tue, 13 Nov 2012 15:21:22 -0500
David L Stevens <dlstevens@...ibm.com> wrote:

> 
> 	This patch provides extensions to VXLAN for supporting Distributed
> Overlay Virtual Ethernet (DOVE) networks. The patch includes:
> 
> 	+ a dove flag per VXLAN device to enable DOVE extensions
> 	+ ARP reduction, whereby a bridge-connected VXLAN tunnel endpoint
> 		answers ARP requests from the local bridge on behalf of
> 		remote DOVE clients
> 	+ route short-circuiting (aka L3 switching). Known destination IP
> 		addresses use the corresponding destination MAC address for
> 		switching rather than going to a (possibly remote) router first.
> 	+ netlink notification messages for forwarding table and L3 switching
> 		misses
> 
> Signed-off-by: David L Stevens <dlstevens@...ibm.com>

I am happy to see VXLAN getting real traction.

There are some issues with this.
 1. DOVE flag is mixing multiple functions (arp and route) together,
    users may want one without the other.
 2. There is an implicit assumption that IP stack has valid IP address
    in the tenant network (vxlan). This is rarely the case. For security
    and other reasons, in my opinion the best practice is not to have
    the bridge as part of the tenant network.
 3. Misses might be common and this could easily be used to DoS the host
    from a malicious guest.

    
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ