Re: [ovs-discuss] packet leaking across vswitches

Wed, 05 Aug 2015 11:23:53 -0700 

On Mon, Aug 03, 2015 at 08:45:35PM +0000, Chen Weiwen wrote:
> see weird things only with openvswitch, even the latest version, that
> potentially packet will leak from one vswitch to another, even those
> two vswitches are configured separately with different physical NICs
> on different VLAN trunks. No patch/tunnel ports involved. We see
> looping detection happens to these two uplink ports.

Sounds like the following FAQ.

### Q: I configured one IP address on VLAN 0 and another on VLAN 9, like
   this:

       ovs-vsctl add-br br0
       ovs-vsctl add-port br0 eth0
       ifconfig br0 192.168.0.5
       ovs-vsctl add-port br0 vlan9 tag=9 -- set interface vlan9 type=internal
       ifconfig vlan9 192.168.0.9

   but other hosts that are only on VLAN 0 can reach the IP address
   configured on VLAN 9.  What's going on?

A: RFC 1122 section 3.3.4.2 "Multihoming Requirements" describes two
   approaches to IP address handling in Internet hosts:

   - In the "Strong ES Model", where an ES is a host ("End
     System"), an IP address is primarily associated with a
     particular interface.  The host discards packets that arrive
     on interface A if they are destined for an IP address that is
     configured on interface B.  The host never sends packets from
     interface A using a source address configured on interface B.

   - In the "Weak ES Model", an IP address is primarily associated
     with a host.  The host accepts packets that arrive on any
     interface if they are destined for any of the host's IP
     addresses, even if the address is configured on some
     interface other than the one on which it arrived.  The host
     does not restrict itself to sending packets from an IP
     address associated with the originating interface.

   Linux uses the weak ES model.  That means that when packets
   destined to the VLAN 9 IP address arrive on eth0 and are bridged to
   br0, the kernel IP stack accepts them there for the VLAN 9 IP
   address, even though they were not received on vlan9, the network
   device for vlan9.

   To simulate the strong ES model on Linux, one may add iptables rule
   to filter packets based on source and destination address and
   adjust ARP configuration with sysctls.

   BSD uses the strong ES model.
_______________________________________________
discuss mailing list
discuss@openvswitch.org
http://openvswitch.org/mailman/listinfo/discuss

Reply via email to