On 11/4/18 18:45, Rabadan, Jorge (Nokia - US/Mountain View) wrote: > [JORGE] not sure what you mean by "negative caching". If you refer to the > ability of certain routers/servers to inject dummy MACs into the ARP caches > so that hosts stop ARPing for absent IPs, the solution actually may help, > since there is an option to suppress unknown ARP-Requests/NS flooding > explained in Section 4.5. Should you choose to enable this option on the > Proxy-ARP/ND functions of the PEs, you no longer flood unknown ARP-Requests, > and therefore there is no longer need to inject those dummy MAC addresses to > stop the flooding. A host may keep ARP'ing for an absent host, but at least > those messages won't bother the entire BD. I added this text in the security > section: > -------------- > "The procedures in this document reduce the amount of ARP/ND message > flooding, which in itself provides a protection to "slow path" > software processors of routers and Tenant Systems in large BDs. The > ARP/ND requests that are replied by the Proxy-ARP/ND function (hence > not flooded) are normally targeted to existing hosts in the BD. > ARP/ND requests targeted to absent hosts are still normally flooded, > however the suppression of Unknown ARP-Requests and NS messages > described in Section 4.5. can provide an additional level of security > against ARP-Requests/NS messages issued to non-existing hosts." > --------------
Thanks. I re-read section 4.5, and I think this does indeed address my comment. The addition of this text is appreciated. Joe _______________________________________________ BESS mailing list [email protected] https://www.ietf.org/mailman/listinfo/bess
