[DVR] br-int in compute node will send unknown unicast to sg-xxx
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Confirmed
|
Low
|
Hong Hui Xiao |
Bug Description
Environment:
Installation: devstack
Dataplane: OpenVSwitch
Version: Ocata/Stable
Nodes: Two nodes. One node with controller services and network services(dvr_snat), the other node with compute service and network services(dvr)
Setups to reproduce:
1. Create networks and DVR and connect them, enable snat.
2. Boot one VM in compute node
3. Ping 8.8.8.8 inside the VM
4. tcpdump the tap device of VM
Observation:
$ sudo tcpdump -nei tap8b25d590-09
fa:
fa:
fa:
Relationship between IP address and MAC address:
VM 10.0.0.6 fa:16:3e:63:0c:57
qr-xxx 10.0.0.1 fa:16:3e:c8:7a:67
sg-xxx 10.0.0.8 fa:16:3e:ba:67:74
Error:
VM should not capture "fa:16:3e:c8:7a:67 > fa:16:3e:ba:67:74", because it should be an unicast from qr-xxx to sg-xxx. It appears that in br-int, there is no fdb record for fa:16:3e:ba:67:74, so br-int will flood frames destined to "fa:16:3e:ba:67:74" to every port in the same local VLAN. So, VM can capture this unknown unicast.
Since every device in the same local VLAN on the same br-int can capture the flooded unknown unicast, it will have impact on performance and security.
Expect:
"qr-xxx to sg-xxx" should mainly be unicast.
Changed in neutron: | |
assignee: | nobody → Hong Hui Xiao (xiaohhui) |
Changed in neutron: | |
status: | Incomplete → Confirmed |
importance: | Undecided → Medium |
tags: | added: l3-dvr-backlog |
tags: | added: ovs |
Changed in neutron: | |
importance: | Medium → Low |
Thank you for your information.
I would like to ask you to provide few more data:
- could you collect packet capture from instance, please?
- could you check bridge type of br-int, please?
- what is the connection between tapxxx and qr-xxx?
As per my understanding: tap and qr ports might be linked. From compute host perspective it might happen that packets will be visible on both interfaces.
Flooding might happen if br-int is a regular bridge (not switch). What is more, if information about IP-MAC is not known, ARP will be sent to get information which MAC has IP address or flood will be done one time to get reply which MAC has IP.