From patchwork Thu Oct 6 01:06:08 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Darrell Ball X-Patchwork-Id: 678680 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (archives.nicira.com [96.126.127.54]) by ozlabs.org (Postfix) with ESMTP id 3sqDxb0FLKz9ryT for ; Thu, 6 Oct 2016 12:06:26 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b=vppYntNF; dkim-atps=neutral Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id AE85C10767; Wed, 5 Oct 2016 18:06:23 -0700 (PDT) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx1e4.cudamail.com (mx1.cudamail.com [69.90.118.67]) by archives.nicira.com (Postfix) with ESMTPS id D139E10765 for ; Wed, 5 Oct 2016 18:06:22 -0700 (PDT) Received: from bar5.cudamail.com (unknown [192.168.21.12]) by mx1e4.cudamail.com (Postfix) with ESMTPS id 436B71E0753 for ; Wed, 5 Oct 2016 19:06:22 -0600 (MDT) X-ASG-Debug-ID: 1475715981-09eadd0cb14e8b0001-byXFYA Received: from mx1-pf1.cudamail.com ([192.168.24.1]) by bar5.cudamail.com with ESMTP id PX7XsoPPqv1qftxB (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 05 Oct 2016 19:06:21 -0600 (MDT) X-Barracuda-Envelope-From: dlu998@gmail.com X-Barracuda-RBL-Trusted-Forwarder: 192.168.24.1 Received: from unknown (HELO mail-pa0-f66.google.com) (209.85.220.66) by mx1-pf1.cudamail.com with ESMTPS (AES128-SHA encrypted); 6 Oct 2016 01:06:21 -0000 Received-SPF: pass (mx1-pf1.cudamail.com: SPF record at _netblocks.google.com designates 209.85.220.66 as permitted sender) X-Barracuda-Apparent-Source-IP: 209.85.220.66 X-Barracuda-RBL-IP: 209.85.220.66 Received: by mail-pa0-f66.google.com with SMTP id qn10so227887pac.2 for ; Wed, 05 Oct 2016 18:06:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:message-id:in-reply-to:references; bh=naxbkYs0nXqM0vHK1Dzta4bv5qyxRPRFH2gbMCzn0HE=; b=vppYntNFYuRQgDH9etKSsyuCOfatSOAIMXbGTs2uADf9ks2KV3T6gl726bgmvdwFt/ EEeZwJU7sHis8BlpwCWHmUAzP6wCmirPatRFHo5HFaworHWAiqkMcD7mq27WKTWUHiZh zGNcEcwI+A/D2wpiOyoD4JbSSfEXDQXZhGIIRhIKWU1tqtm23vK3XBwW8C/S7TF6SXgT 856NZOyBZ8H4twkaLVtBAzBz9GTay2M1y/xzEnZajGuqFAdltWAga1N+JzTqWRC+XEHG 7IgRrUcsYrgAfeXnSywOOQVkiL9mqEI5B2Gz/k0yBEvcamX/EnvKxcUacjJ7cmR+ZfSV AfYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=naxbkYs0nXqM0vHK1Dzta4bv5qyxRPRFH2gbMCzn0HE=; b=D9U37EIYe6h5Quu74we1EtosspxZwi2+jUYeGY/rNDM/V6KbdqnrbguyVnGSyERaJo pwUclluIQmGf2GFKCFvMRJXP2I0/YN6Chi9aWf1gCwxapm2jgXSp9+kHtudnCD/dOAby vF8xMUYz5qa1KL6AYS8F5mn69yGPleZGM8fSCrG+ZeO0Wf1HQU3xMuPhRKnAE2vfAPtx F48arUCUGEVklBKtDyGN+pYummeglTA70rKqdvD8r4saaOSxbr+znewZnJd0DX2MMsdO cjje+Lqajc0kqJi4bzXEc2f4AXrRhKN9yszuWlcmlR7+VicSVr/3xZV9jcfOBNmkwYHZ hNJQ== X-Gm-Message-State: AA6/9Rmv5TNPsUrsFuFP/9NnwecpdAJd/ritJw0SQL7DiuHH9gm9OAwwlejbOh/XZcxvwg== X-Received: by 10.66.248.69 with SMTP id yk5mr18068215pac.9.1475715980816; Wed, 05 Oct 2016 18:06:20 -0700 (PDT) Received: from localhost.localdomain ([208.91.2.3]) by smtp.gmail.com with ESMTPSA id b4sm17232631paw.10.2016.10.05.18.06.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 05 Oct 2016 18:06:20 -0700 (PDT) X-CudaMail-Envelope-Sender: dlu998@gmail.com From: Darrell Ball To: dlu998@gmail.com, dball@vmware.com, dev@openvswitch.org X-CudaMail-MID: CM-E1-1004090836 X-CudaMail-DTE: 100516 X-CudaMail-Originating-IP: 209.85.220.66 Date: Wed, 5 Oct 2016 18:06:08 -0700 X-ASG-Orig-Subj: [##CM-E1-1004090836##][patch_v3] ovn: Add additional comments regarding arp responders. Message-Id: <1475715968-129474-2-git-send-email-dlu998@gmail.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1475715968-129474-1-git-send-email-dlu998@gmail.com> References: <1475715968-129474-1-git-send-email-dlu998@gmail.com> X-Barracuda-Connect: UNKNOWN[192.168.24.1] X-Barracuda-Start-Time: 1475715981 X-Barracuda-Encrypted: ECDHE-RSA-AES256-GCM-SHA384 X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 X-Barracuda-Spam-Score: 1.10 X-Barracuda-Spam-Status: No, SCORE=1.10 using global scores of TAG_LEVEL=3.5 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=4.0 tests=BSF_SC0_MISMATCH_TO, BSF_SC0_SA_TO_FROM_ADDR_MATCH, BSF_SC5_MJ1963, DKIM_SIGNED, MAILTO_TO_SPAM_ADDR, RDNS_NONE X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.33513 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.00 BSF_SC0_MISMATCH_TO Envelope rcpt doesn't match header 0.00 DKIM_SIGNED Domain Keys Identified Mail: message has a signature 0.00 MAILTO_TO_SPAM_ADDR URI: Includes a link to a likely spammer email 0.10 RDNS_NONE Delivered to trusted network by a host with no rDNS 0.50 BSF_SC0_SA_TO_FROM_ADDR_MATCH Sender Address Matches Recipient Address 0.50 BSF_SC5_MJ1963 Custom Rule MJ1963 Subject: [ovs-dev] [patch_v3] ovn: Add additional comments regarding arp responders. X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dev-bounces@openvswitch.org Sender: "dev" There has been enough confusion regarding logical switch datapath arp responders in ovn to warrant some additional comments; hence add a general description regarding why they exist and document the special cases. Signed-off-by: Darrell Ball --- ovn/northd/ovn-northd.8.xml | 51 +++++++++++++++++++++++++++++++++++++++------ 1 file changed, 45 insertions(+), 6 deletions(-) diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml index 77eb3d1..2104302 100644 --- a/ovn/northd/ovn-northd.8.xml +++ b/ovn/northd/ovn-northd.8.xml @@ -415,20 +415,59 @@

Ingress Table 9: ARP/ND responder

- This table implements ARP/ND responder for known IPs. It contains these - logical flows: + This table implements ARP/ND responder for known IPs. The advantage + of the arp responder flow is to limit arp broadcasts by locally + responding to arp requests without the need to send to other + hypervisors. One common case is when the inport is a logical + port associated with a VIF and the broadcast is responded to on the + local hypervisor rather than broadcast across the whole network and + responded to by the destination VM. This behavior is proxy arp. + Packets received by multiple hypervisors, as in the case of + localnet and vtep logical inports need + to skip these logical switch arp responders; the reason being + that northd downloads the same mac binding rules to all hypervisors + and all hypervisors will receive the arp request from the external + network and respond. These skip rules are mentioned under + priority-100 flows. Arp requests arrive from VMs with a logical + switch inport type of type empty, which is the default. For this + case, the logical switch proxy arp rules can be for other VMs or + a logical router port. In order to support proxy arp for logical + router ports, an IP address must be configured on the logical + switch router type port, with the same value as the peer of the + logical router port. The configured MAC addresses must match as + well. If the logical switch router type port does not have an + IP address configured, arp requests will hit another arp responder + on the logical router datapath itself, which is most commonly a + distributed logical router. The advantage of using the logical + switch proxy arp rule for logical router ports is that this rule + is hit before the logical switch L2 broadcast rule. This means + the arp request is not broadcast on this logical switch. Logical + switch arp responder proxy arp rules can also be hit when + receiving arp requests externally on a L2 gateway port. In this + case, the hypervisor acting as an L2 gateway, responds to the arp + request on behalf of a VM. Note that arp requests received from + localnet or vtep logical inports can + either go directly to VMs, in which case the VM responds or can + hit an arp responder for a logical router port if the packet is + used to resolve a logical router port next hop address. + It contains these logical flows:

  • - Priority-100 flows to skip ARP responder if inport is of type - localnet, and advances directly to the next table. + Priority-100 flows to skip the ARP responder if inport is + of type localnet or vtep and + advances directly to the next table. The inport being of type + router has no known use case for these arp + responders. However, no skip flows are installed for these + packets, as there would be some additional flow cost for this + and the value appears limited.

  • Priority-50 flows that match ARP requests to each known IP address - A of every logical router port, and respond with ARP + A of every logical switch port, and respond with ARP replies directly with corresponding Ethernet address E:

    @@ -455,7 +494,7 @@ output;

    Priority-50 flows that match IPv6 ND neighbor solicitations to each known IP address A (and A's - solicited node address) of every logical router port, and + solicited node address) of every logical switch port, and respond with neighbor advertisements directly with corresponding Ethernet address E: