From patchwork Fri Nov 4 17:06:17 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Darrell Ball X-Patchwork-Id: 691343 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (archives.nicira.com [96.126.127.54]) by ozlabs.org (Postfix) with ESMTP id 3t9StH35gNz9vF1 for ; Sat, 5 Nov 2016 04:06:47 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="blnXrwEW"; dkim-atps=neutral Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id 2BD4710B47; Fri, 4 Nov 2016 10:06:34 -0700 (PDT) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx1e3.cudamail.com (mx1.cudamail.com [69.90.118.67]) by archives.nicira.com (Postfix) with ESMTPS id A10BF1060A for ; Fri, 4 Nov 2016 10:06:32 -0700 (PDT) Received: from bar5.cudamail.com (localhost [127.0.0.1]) by mx1e3.cudamail.com (Postfix) with ESMTPS id 365984204A6 for ; Fri, 4 Nov 2016 11:06:32 -0600 (MDT) X-ASG-Debug-ID: 1478279191-09eadd0f979d9cf0001-byXFYA Received: from mx1-pf1.cudamail.com ([192.168.24.1]) by bar5.cudamail.com with ESMTP id tjo5bDsnNshjCaoM (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 04 Nov 2016 11:06:31 -0600 (MDT) X-Barracuda-Envelope-From: dlu998@gmail.com X-Barracuda-RBL-Trusted-Forwarder: 192.168.24.1 Received: from unknown (HELO mail-pf0-f196.google.com) (209.85.192.196) by mx1-pf1.cudamail.com with ESMTPS (AES128-SHA encrypted); 4 Nov 2016 17:06:31 -0000 Received-SPF: pass (mx1-pf1.cudamail.com: SPF record at _netblocks.google.com designates 209.85.192.196 as permitted sender) X-Barracuda-Apparent-Source-IP: 209.85.192.196 X-Barracuda-RBL-IP: 209.85.192.196 Received: by mail-pf0-f196.google.com with SMTP id n85so8456186pfi.3 for ; Fri, 04 Nov 2016 10:06:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=W6Rro6Bt2eqDfB8dgsj0vxzrh/6nW9cS/m8MNZm3kWE=; b=blnXrwEWlY034+8fv1Aa+ntb5jpPPmbOVDUbMQQOPhNHa0XqaIJ5NxKC9LMaTqhUva Y/sFoB1kTBiq1+TKzEVQ+5GAZJUd23eBOdjctvlqWGZRwSsAIPSXyN/ceC2DIpRyXtRu Ry4PmCnc6ZqwSMT1+cXBZphOwftyMnGwuYKFOYBkQ1zcmKLkGGm2vNPPGVEZE7EmIeoB j7aoKbNqkCL6/8XvEUwe+og1SOw2+pGHF2PLXWUjugVQwlm8BdmoGAkOoCM3c4ghcXsg 1cLnwnOeYQSQOMkFR0bylseUn1q/OM9WPl5UBDdiEKemo+cAahfx8dOzwOi4P9P9o5P2 bZPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=W6Rro6Bt2eqDfB8dgsj0vxzrh/6nW9cS/m8MNZm3kWE=; b=i6iVXqaMrA5xCBofhf27sruaMqVPZgs9cve4PIiiUroxmN5YfhlUDUwgdWZxK0I9fn cb/8MhJyHHKtyFM44b9fi/tztX3nwYlGck38fFXAO9qt1z4HODq3GHMCqNJ0/f6aATay xwfxxK6CQ82APrSjlYKweEX5nsozKherxulmOK9KIilafAqqzF1OB8G+988tWbzCBZIn HmTNhHmPmCw4M00dwEa/XP7g7viBoP3QdTUE5ATqoE6CpY0Mn2dm8JANbsJMpQ/bRyoV F9DBTL7UTZHpfoFGsn3w+r+udRQJL3zYeFz12cq0evecV85WP5S8FXz0xI36rILPCPfm Qqwg== X-Gm-Message-State: ABUngvdENMAWWoCG6nMYuEYWC0Ea7PavKl1//AJ81oknhHGDEnrUWq64aYJb2AptZi3h0A== X-Received: by 10.99.209.5 with SMTP id k5mr23704574pgg.13.1478279190509; Fri, 04 Nov 2016 10:06:30 -0700 (PDT) Received: from ubuntu.localdomain (c-24-4-8-103.hsd1.ca.comcast.net. [24.4.8.103]) by smtp.gmail.com with ESMTPSA id r21sm897210pfd.44.2016.11.04.10.06.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 04 Nov 2016 10:06:30 -0700 (PDT) X-CudaMail-Envelope-Sender: dlu998@gmail.com From: Darrell Ball To: dlu998@gmail.com, dev@openvswitch.org X-CudaMail-MID: CM-E1-1103039184 X-CudaMail-DTE: 110416 X-CudaMail-Originating-IP: 209.85.192.196 Date: Fri, 4 Nov 2016 10:06:17 -0700 X-ASG-Orig-Subj: [##CM-E1-1103039184##][patch_v6 2/3] ovn: Add additional comments regarding arp responders. Message-Id: <1478279178-36041-3-git-send-email-dlu998@gmail.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1478279178-36041-1-git-send-email-dlu998@gmail.com> References: <1478279178-36041-1-git-send-email-dlu998@gmail.com> X-Barracuda-Connect: UNKNOWN[192.168.24.1] X-Barracuda-Start-Time: 1478279191 X-Barracuda-Encrypted: ECDHE-RSA-AES256-GCM-SHA384 X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 X-Barracuda-Spam-Score: 1.10 X-Barracuda-Spam-Status: No, SCORE=1.10 using global scores of TAG_LEVEL=3.5 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=4.0 tests=BSF_SC0_MISMATCH_TO, BSF_SC0_SA_TO_FROM_ADDR_MATCH, BSF_SC5_MJ1963, DKIM_SIGNED, MAILTO_TO_SPAM_ADDR, RDNS_NONE X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.34260 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.00 BSF_SC0_MISMATCH_TO Envelope rcpt doesn't match header 0.00 DKIM_SIGNED Domain Keys Identified Mail: message has a signature 0.00 MAILTO_TO_SPAM_ADDR URI: Includes a link to a likely spammer email 0.10 RDNS_NONE Delivered to trusted network by a host with no rDNS 0.50 BSF_SC0_SA_TO_FROM_ADDR_MATCH Sender Address Matches Recipient Address 0.50 BSF_SC5_MJ1963 Custom Rule MJ1963 Cc: Ramu Ramamurthy Subject: [ovs-dev] [patch_v6 2/3] ovn: Add additional comments regarding arp responders. X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dev-bounces@openvswitch.org Sender: "dev" There has been enough confusion regarding logical switch datapath arp responders in ovn to warrant some additional comments; hence add a general description regarding why they exist and document the special cases. Signed-off-by: Darrell Ball Signed-off-by: Ramu Ramamurthy Co-authored-by: Ramu Ramamurthy Acked-by: Han Zhou Acked-by: Mickey Spiegel --- v5->v6: Rewording based on review feedback including designating peer logical router port correctly. v4->v5: Splice in some rewording from review from multiple sources. v3->v4: Capitalization fixes. Reinstate comment regarding L2 learning confusion. v2->v3: Reword and further elaborate. v1->v2: Dropped RFC code change for logical switch router type ports. ovn/northd/ovn-northd.8.xml | 67 +++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 61 insertions(+), 6 deletions(-) diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml index df53d4c..9c61f66 100644 --- a/ovn/northd/ovn-northd.8.xml +++ b/ovn/northd/ovn-northd.8.xml @@ -435,20 +435,75 @@

Ingress Table 10: ARP/ND responder

- This table implements ARP/ND responder for known IPs. It contains these - logical flows: + This table implements ARP/ND responder in a logical switch for known + IPs. The advantage of the ARP responder flow is to limit ARP + broadcasts by locally responding to ARP requests without the need to + send to other hypervisors. One common case is when the inport is a + logical port associated with a VIF and the broadcast is responded to + on the local hypervisor rather than broadcast across the whole + network and responded to by the destination VM. This behavior is + proxy ARP.

+

+ ARP requests arrive from VMs from a logical switch inport of type + default. For this case, the logical switch proxy ARP rules can be + for other VMs or logical router ports. Logical switch proxy ARP + rules may be programmed both for mac binding of IP addresses on + other logical switch VIF ports (which are of the default logical + switch port type, representing connectivity to VMs or containers), + and for mac binding of IP addresses on logical switch router type + ports, representing their logical router port peers. In order to + support proxy ARP for logical router ports, an IP address must be + configured on the logical switch router type port, with the same + value as the peer logical router port. The configured MAC addresses + must match as well. When a VM sends an ARP request for a distributed + logical router port and if the peer router type port of the attached + logical switch does not have an IP address configured, the ARP request + will be broadcast on the logical switch. One of the copies of the ARP + request will go through the logical switch router type port to the + logical router datapath, where the logical router ARP responder will + generate a reply. The MAC binding of a distributed logical router, + once learned by an associated VM, is used for all that VM's + communication needing routing. Hence, the action of a VM re-arping for + the mac binding of the logical router port should be rare. +

+ +

+ Logical switch ARP responder proxy ARP rules can also be hit when + receiving ARP requests externally on a L2 gateway port. In this case, + the hypervisor acting as an L2 gateway, responds to the ARP request on + behalf of a destination VM. +

+ +

+ Note that ARP requests received from localnet or + vtep logical inports can either go directly to VMs, in + which case the VM responds or can hit an ARP responder for a logical + router port if the packet is used to resolve a logical router port + next hop address. In either case, logical switch ARP responder rules + will not be hit. It contains these logical flows: +

+
  • - Priority-100 flows to skip ARP responder if inport is of type - localnet, and advances directly to the next table. + Priority-100 flows to skip the ARP responder if inport is of type + localnet or vtep and advances directly + to the next table. ARP requests sent to localnet or + vtep ports can be received by multiple hypervisors. + Now, because the same mac binding rules are downloaded to all + hypervisors, each of the multiple hypervisors will respond. This + will confuse L2 learning on the source of the ARP requests. ARP + requests received on an inport of type router are not + expected to hit any logical switch ARP responder flows. However, + no skip flows are installed for these packets, as there would be + some additional flow cost for this and the value appears limited.

  • Priority-50 flows that match ARP requests to each known IP address - A of every logical router port, and respond with ARP + A of every logical switch port, and respond with ARP replies directly with corresponding Ethernet address E:

    @@ -475,7 +530,7 @@ output;

    Priority-50 flows that match IPv6 ND neighbor solicitations to each known IP address A (and A's - solicited node address) of every logical router port, and + solicited node address) of every logical switch port, and respond with neighbor advertisements directly with corresponding Ethernet address E: