Details
-
Story
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
-
None
Description
{{commit e050e63c6c846afe1a8f54a214702ce74f538951
ovn-northd: Add CoPP policies for flows that punt packets to ovn-controller.
Change the ovn-northd implementation to set the new 'controller_meter'
field for flows that need to punt packets to ovn-controller.
Protocol packets for which CoPP is enforced when sending packets to
ovn-controller (if configured):
- ARP
- ND_NS
- ND_NA
- ND_RA
- DNS
- IGMP
- packets that require ARP resolution before forwarding
- packets that require ND_NS before forwarding
- packets that need to be replied to with ICMP Errors
- packets that need to be replied to with TCP RST
- packets that need to be replied to with DHCP_OPTS
- packets that trigger a SCTP abort action
- contoller_events
- BFD}}
ovn-kubernetes should enable CoPP to prevent DoS of ovn-controllers when responding to various incoming packets. Enabling consists of creating "meters" for packet types and then using those meters in the "copp" table in the OVN Northbound database. ovn-kube can do this once per startup in StartClusterMaster() or somewhere like that.
Need to double-check that all pkt_in operations in ovn-controller are protected by CoPP too.