edge_learn algorithm never blocks packet-in from broadcast
Closed this issue · 2 comments
grafnu commented
In a situation where a stacking switch is learning a flow to an edge node that is not shortest-path through the root switch, it will never block incoming packets from the root switch against re-learning, and so will generate a packet-in from every broadcast (since broadcast always comes through the root node). This can be seen in the packet flow counts below. The flows where n_packets=221 (or 222) are the ones of interest. The generated traffic is just a bunch of ARPs to a nonexistent address, which means it's a bunch of broadcast-only traffic.
- All the packets come in on port 6, which is the hop to the stack root
- System has learned to src_mac on port 9, which is the shortest path to the edge switch
- But since broadcast packets are always inbound on port 6, the "skip learning" rule is not matched
- All incoming broadcast packets are sent to CONTROLLER,96
- All incoming packets are sent to the flood table (as expected, since this is ARP-broadcast)
The danger here is a DOS problem on the controller, since a flood of broadcast messages will all trigger a packet-in. Or, in systems with lots of broadcast traffic (chatty legacy IoT systems), this will likely incur significant system load.
$ sudo ovs-ofctl dump-flows t1sw2 | egrep table=[0-2]
cookie=0x5adc15c0, duration=428.121s, table=0, n_packets=71, n_bytes=5751, idle_age=3, priority=9099,in_port=6,dl_dst=01:80:c2:00:00:00/ff:ff:ff:ff:ff:f0,dl_type=0x88cc actions=CONTROLLER:128
cookie=0x5adc15c0, duration=428.121s, table=0, n_packets=71, n_bytes=5893, idle_age=3, priority=9099,in_port=9,dl_dst=01:80:c2:00:00:00/ff:ff:ff:ff:ff:f0,dl_type=0x88cc actions=CONTROLLER:128
cookie=0x5adc15c0, duration=428.121s, table=0, n_packets=71, n_bytes=5964, idle_age=3, priority=9099,in_port=10,dl_dst=01:80:c2:00:00:00/ff:ff:ff:ff:ff:f0,dl_type=0x88cc actions=CONTROLLER:128
cookie=0x5adc15c0, duration=428.121s, table=0, n_packets=71, n_bytes=5964, idle_age=3, priority=9099,in_port=11,dl_dst=01:80:c2:00:00:00/ff:ff:ff:ff:ff:f0,dl_type=0x88cc actions=CONTROLLER:128
cookie=0x5adc15c0, duration=415.106s, table=0, n_packets=399, n_bytes=49476, idle_age=1, priority=9099,in_port=28,dl_dst=01:80:c2:00:00:02,dl_type=0x8809 actions=CONTROLLER:124
cookie=0x5adc15c0, duration=428.121s, table=0, n_packets=4, n_bytes=280, idle_age=209, priority=9001,in_port=6,vlan_tci=0x0000/0x1fff actions=drop
cookie=0x5adc15c0, duration=428.121s, table=0, n_packets=4, n_bytes=280, idle_age=146, priority=9001,in_port=9,vlan_tci=0x0000/0x1fff actions=drop
cookie=0x5adc15c0, duration=428.121s, table=0, n_packets=4, n_bytes=280, idle_age=146, priority=9001,in_port=10,vlan_tci=0x0000/0x1fff actions=drop
cookie=0x5adc15c0, duration=428.121s, table=0, n_packets=4, n_bytes=280, idle_age=178, priority=9001,in_port=11,vlan_tci=0x0000/0x1fff actions=drop
cookie=0x5adc15c0, duration=428.120s, table=0, n_packets=0, n_bytes=0, idle_age=428, priority=9000,in_port=28,dl_vlan=171 actions=mod_vlan_pcp:0,resubmit(,1)
cookie=0x5adc15c0, duration=428.120s, table=0, n_packets=222, n_bytes=10716, idle_age=24, priority=9000,in_port=6 actions=resubmit(,1)
cookie=0x5adc15c0, duration=428.120s, table=0, n_packets=0, n_bytes=0, idle_age=428, priority=9000,in_port=9 actions=resubmit(,1)
cookie=0x5adc15c0, duration=428.120s, table=0, n_packets=0, n_bytes=0, idle_age=428, priority=9000,in_port=10 actions=resubmit(,1)
cookie=0x5adc15c0, duration=428.120s, table=0, n_packets=0, n_bytes=0, idle_age=428, priority=9000,in_port=11 actions=resubmit(,1)
cookie=0x5adc15c0, duration=415.106s, table=0, n_packets=0, n_bytes=0, idle_age=428, priority=9001,in_port=28 actions=drop
cookie=0x5adc15c0, duration=428.037s, table=0, n_packets=0, n_bytes=0, idle_age=428, priority=0 actions=drop
cookie=0x5adc15c0, duration=428.123s, table=1, n_packets=0, n_bytes=0, idle_age=428, priority=20490,dl_type=0x9000 actions=drop
cookie=0x5adc15c0, duration=428.123s, table=1, n_packets=0, n_bytes=0, idle_age=428, priority=20480,dl_src=ff:ff:ff:ff:ff:ff actions=drop
cookie=0x5adc15c0, duration=428.123s, table=1, n_packets=0, n_bytes=0, idle_age=428, priority=20480,dl_src=0e:00:00:00:00:01 actions=drop
cookie=0x5adc15c0, duration=101.742s, table=1, n_packets=0, n_bytes=0, hard_timeout=290, idle_age=403, priority=8191,in_port=9,dl_vlan=171,dl_src=9a:02:57:1e:8f:01 actions=resubmit(,2)
cookie=0x5adc15c0, duration=415.101s, table=1, n_packets=221, n_bytes=10614, idle_age=24, priority=4096,dl_vlan=171 actions=CONTROLLER:96,resubmit(,2)
cookie=0x5adc15c0, duration=428.037s, table=1, n_packets=0, n_bytes=0, idle_age=428, priority=0 actions=resubmit(,2)
cookie=0x5adc15c0, duration=403.257s, table=2, n_packets=0, n_bytes=0, idle_timeout=430, idle_age=403, priority=8192,dl_vlan=171,dl_vlan_pcp=2,dl_dst=9a:02:57:1e:8f:00 actions=output:6
cookie=0x5adc15c0, duration=403.257s, table=2, n_packets=0, n_bytes=0, idle_timeout=430, idle_age=403, priority=8192,dl_vlan=171,dl_vlan_pcp=0,dl_dst=9a:02:57:1e:8f:00 actions=output:6
cookie=0x5adc15c0, duration=403.257s, table=2, n_packets=0, n_bytes=0, idle_timeout=435, idle_age=403, priority=8192,dl_vlan=171,dl_vlan_pcp=2,dl_dst=9a:02:57:1e:8f:02 actions=output:10
cookie=0x5adc15c0, duration=403.257s, table=2, n_packets=1, n_bytes=102, idle_timeout=435, idle_age=402, priority=8192,dl_vlan=171,dl_vlan_pcp=0,dl_dst=9a:02:57:1e:8f:02 actions=output:10
cookie=0x5adc15c0, duration=403.258s, table=2, n_packets=0, n_bytes=0, idle_timeout=440, idle_age=403, priority=8192,dl_vlan=171,dl_vlan_pcp=2,dl_dst=9a:02:57:1e:8f:01 actions=output:9
cookie=0x5adc15c0, duration=403.258s, table=2, n_packets=0, n_bytes=0, idle_timeout=440, idle_age=403, priority=8192,dl_vlan=171,dl_vlan_pcp=0,dl_dst=9a:02:57:1e:8f:01 actions=output:9
cookie=0x5adc15c0, duration=428.038s, table=2, n_packets=221, n_bytes=10614, idle_age=24, priority=0 actions=resubmit(,3)
anarkiwi commented
Please re-open with steps to reproduce the problem.
There is not enough information to draw this conclusion yet.