> On Jun 8, 2016, at 11:42 AM, Flaviof <fla...@flaviof.com> wrote: > > On Wed, Jun 8, 2016 at 2:10 PM, Darrell Ball <dlu...@gmail.com> wrote: > > On Wed, Jun 8, 2016 at 6:38 AM, Flaviof <fla...@flaviof.com> wrote: > > As a continuation of the topic on ICMP reply rules [ml], I could not help but > notice that in the logical flow, there is a match not only for the logical > routers's IP address but also for the L3 broadcast (op->bcast) of the subnet > [1]. So I -- the curious cat -- had to try it out. ;) > >> It is common to not respond to directed broadcast by default and enable it >> only by configuration; >> adding configuration ability for this would be an added requirement with >> dubious value. >> The reasons are obviously related to DOS. >> It may be here by default for special and/or historical reasons in NSX or >> Openstack. >> Unless there is some "extra specialness" usage or above historical reasons, >> I would >> say the disadvantages outweigh the meager advantages of responding to >> directed broadcasts. >> >>> Make sense; and I agree. I'll propose the simplification in ovs-dev and >>> bring this up in the >>> OVN meeting tomorrow (Jun/9); to see if anybody has a diverging opinion >>> and/or suggestion.
Coincidentally, over the weekend, I also noticed that we were responding to broadcast pings. I was planning to send a patch to disable this behavior due to DOS concerns. (I agree with Darrell that it's not worth providing a configuration option at this time.) Let's confirm at the OVN meeting tomorrow, but if no one objects, I think it makes sense. Did you want to prepare the patch? --Justin _______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
