Skip to content

Commit 18516f8

Browse files
committed
controller: Add option to make port security compliant with RFC 9568.
The RFC defines a Virtual Router Redundancy Protocol [0], in order for that protocol to work the workload might "spoof" MAC address within ARP or ND request/response. This wasn't allowed as the port security is specifically designed against spoofing and checks if the port security MAC address is the same for source of ARP/ND and the inner source/target address. To make the port security compliant add a special literal which when specified will allow user to add any/all MAC addresses defined by VRRPv3. The traffic from and to those additional MAC addresses will be allowed as well as permutations of ARP/ND inner MACs combined with the physical MAC as a source. [0] https://datatracker.ietf.org/doc/html/rfc9568 Reported-at: https://issues.redhat.com/browse/FDP-2979 Acked-by: Ilya Maximets <i.maximets@ovn.org> Acked-by: Dumitru Ceara <dceara@redhat.com> Signed-off-by: Ales Musil <amusil@redhat.com> (cherry picked from commit d9e2393)
1 parent 8b70e8b commit 18516f8

4 files changed

Lines changed: 1521 additions & 324 deletions

File tree

NEWS

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
OVN v25.09.3 - xx xxx xxxx
22
--------------------------
3+
- Add support for special port_security prefix "VRRPv3". This prefix allows
4+
CMS to allow all required traffic for a VRRPv3 virtual router behind LSP.
5+
See ovn-nb(5) man page for more details.
36

47
OVN v25.09.2 - 04 Dec 2025
58
--------------------------

0 commit comments

Comments
 (0)