On 3/13/12 2:38 PM, Ben Pfaff wrote:
The way I would suggest doing it is to have the controller track the
VM that is supposed to be associated with a given OpenFlow port and
drop any traffic originating from the port that claims a different
source MAC or IP. It's possible to do the latter with OpenFlow.
Yea, on the controller I could only install the flow if the MAC and IP
address matches a valid database(for example).
But that don't avoid another VM on the same or another vswitch to alter
his own MAC and IP and the controller install the same flow.
If I understand you, I could make the controller track:
- NEW MAC/IP is using port 10@vswitch1, flow install
- Any other port/switch rather then 10@vswitch1 using that MAC/IP is droped
- But what I'm gonna make when a VM migrate from Hosts ? Probably will
have to wait the idle timeout on the other switch to install the flow
for the migrated VM to access the network.
- Another problem is if a VM don't use the network, the flow will
expire. Then if another VM uses that MAC/IP the controller will grant
the network access because that MAC/IP address is not installed anywhere.
Am I thinking right or the behavior is different on that case ?
I'm not seeing a 100% secure way to do antispoof rather then buildin
that on the OVS or triggers on the hypervisor(maybe the antispoof could
be done on the hypervisor ?).
Currently I'm using triggers on the hypervisor and it works. I'm just
trying to find out if there is another way to do it, that I could remove
those triggers and use only the controller to manage that.
--
Luiz Henrique Ozaki
_______________________________________________
discuss mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/discuss
