On Wed, Jul 01, 2015 at 11:11:05AM +0300, Gal Sagie wrote: > As you might know, allowed address pairs in neutron is an extension to > allow port > to have more then a pair of MAC-IP addresses assigned to it. > This is useful for cases of where few VM's need to share virtual MAC/IP, > like > for VRRP, Load balancing, NFV use cases and so on... > (Aaron who implemented it as far as i know can maybe elaborate) > > Its not urgent but i believe that we can support this in Neutron OVN (at > least for L2) > By adding all the MAC addresses configured to a certain logical port. > > However, when L3 is going to be introduced, we cant just also add all the > IP addresses, because security wise this means that a certain IP must be > assigned to a certain MAC address (please correct me if i am wrong here) > > Just wanted to put this here, so when L3 design is finalized these > connections > are also taken care of in OVN for port security.
Where's the spec for allowed address pairs? It's probably pretty easy to implement in OVN. (As an aside, I originally specified OVN port security to be more general and to handle L2 and L3, but I didn't like what I'd specified and so I dropped back to something simple and L2-only, with the idea being that we'd enhance it to match whatever Neutron actually wants later. Now is the time, I guess.) _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
