Hi Justin, Sorry to revive an old thread. I've recently resumed my work on OpenStack Neutron to allow for OVS-based security groups. Have you published any results with your work on OVS and Linux's conntracker?
Thanks, Amir Sadoughi On Mon, Dec 16, 2013 at 3:31 PM, Justin Pettit <jpet...@nicira.com> wrote: > > On Dec 16, 2013, at 11:24 AM, Amir Sadoughi <amir.sadou...@gmail.com> > wrote: > > > How would you describe the tradeoffs between the two choices? Is it > accurate to say reflexive learning is not as performant as it cuts into how > many flows a megaflow can wildcard, e.g. the less that can be wildcarded, > the more OVS will have to hit userspace for flows? > > Yes. This is exactly right. Using the learn action is strictly more > correct, since it's only allowing return traffic that's in response to > traffic that was previously seen. TCP flag matching allows reasonable > megaflows, but just blocking on the SYN flags isn't as secure, since an > attacker can get traffic through--they just can't initiate a new > connection. However, I do think many hardware switches implement their > firewalls in just such a manner. > > --Justin > > >
_______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
