However, what's more worrying for me right now is the gaping
DoS opportunities that exist in the patch as is.
In particular, the whole design principle of punting all new
flows to user-space is an excellent way of attacking the system.
Indeed this is an issue with openflow in general.
The general solution is to rate limit how much goes to the controller
but even that is insufficient.
This is a common misunderstanding about OpenFlow. It does not require
the first packet of each flow to go to the controller. In fact, no
production system I'm aware of does this. Generally OpenFlow-based
solutions targeted at large environments (e.g. data center, or WAN)
send only traditional control traffic to the controller (e.g. BGP or
OSPF), or none at all.
.martin
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Martin Casado
Nicira Networks, Inc.
www.nicira.com
cell: 650-776-1457
~~~~~~~~~~~~~~~~~~~~~~~~~~~
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
