On Dec 16, 2013, at 11:24 AM, Amir Sadoughi <[email protected]> wrote:
> How would you describe the tradeoffs between the two choices? Is it accurate > to say reflexive learning is not as performant as it cuts into how many flows > a megaflow can wildcard, e.g. the less that can be wildcarded, the more OVS > will have to hit userspace for flows? Yes. This is exactly right. Using the learn action is strictly more correct, since it's only allowing return traffic that's in response to traffic that was previously seen. TCP flag matching allows reasonable megaflows, but just blocking on the SYN flags isn't as secure, since an attacker can get traffic through--they just can't initiate a new connection. However, I do think many hardware switches implement their firewalls in just such a manner. --Justin _______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
