[neutron] multicast and allowed address pairs
Hi Neutrinos, We have a user who discovered that two neutron backends behave differently when it comes to handling multicast traffic. This user runs servers that need multicast for VRRP coordination (the point is multicast, not VRRP). They discovered that with the (no longer upstream supported) OpenDaylight backend, they need to let the multicast traffic through with an allowed address pair. On the other hand, the ml2/ovs backend (here always assuming the ovs firewall driver) allows the multicast traffic by default. If you add the same allowed address pair (for example: {'mac_address': '01:00:5e:00:00:64', 'ip_address': '224.0.0.100'}) as with OpenDaylight, it actually breaks multicast traffic. The traffic breaks even on other servers, affected by the same set of flows installed by ovs-agent. My question is: which backend behaves correctly? And do we need to change anything upstream? Since I found the following upstream history... https://opendev.org/openstack/neutron/src/branch/master/doc/source/admin/con... https://bugs.launchpad.net/neutron/+bug/1889631 ... I believe that ml2/ovs (with the ovs fw driver) behaves correctly when it lets the multicast traffic through by default. However I believe it is a bug that the traffic breaks when the user adds the allowed address pair. But I think it would be pretty pointless to start fixing the traffic itself since we would need to make changes for no effect. Rather we could reject allowed address pairs with multicast IPs/MAC addresses, because that would call the attention of the user that multicast traffic is already handled at a different place (that is the default behavior of the fw driver). I also believe that the OpenDaylight driver is buggy when it does not let the multicast traffic through just like ml2/ovs does. However this is not an upstream problem anymore, since networking-odl is long deprecated. Do you agree in the judgement where the bugs are in this case? The possible upstream change: Do you think we should start rejecting allowed address pairs with multicast IPs/MAC addresses? Plus I guess a doc update for allowed address pairs api-ref is due... If needed, I'm happy to bring this to the drivers meeting. It's 100% that I could attend next Friday (6th of March) and 80% for this Friday (27th of February). Thanks, Bence
Hi Bence, Sorry for the slow response. On 2/23/26 6:50 AM, Bence Romsics wrote:
Hi Neutrinos,
We have a user who discovered that two neutron backends behave differently when it comes to handling multicast traffic. This user runs servers that need multicast for VRRP coordination (the point is multicast, not VRRP). They discovered that with the (no longer upstream supported) OpenDaylight backend, they need to let the multicast traffic through with an allowed address pair. On the other hand, the ml2/ovs backend (here always assuming the ovs firewall driver) allows the multicast traffic by default. If you add the same allowed address pair (for example: {'mac_address': '01:00:5e:00:00:64', 'ip_address': '224.0.0.100'}) as with OpenDaylight, it actually breaks multicast traffic. The traffic breaks even on other servers, affected by the same set of flows installed by ovs-agent.
My question is: which backend behaves correctly? And do we need to change anything upstream?
Since I found the following upstream history...
https://opendev.org/openstack/neutron/src/branch/master/doc/source/admin/con... https://bugs.launchpad.net/neutron/+bug/1889631
... I believe that ml2/ovs (with the ovs fw driver) behaves correctly when it lets the multicast traffic through by default. However I believe it is a bug that the traffic breaks when the user adds the allowed address pair. But I think it would be pretty pointless to start fixing the traffic itself since we would need to make changes for no effect. Rather we could reject allowed address pairs with multicast IPs/MAC addresses, because that would call the attention of the user that multicast traffic is already handled at a different place (that is the default behavior of the fw driver).
Yes, based on the docs the OVS FW driver is behaving correctly by allowing the multicast traffic.
I also believe that the OpenDaylight driver is buggy when it does not let the multicast traffic through just like ml2/ovs does. However this is not an upstream problem anymore, since networking-odl is long deprecated.
Do you agree in the judgement where the bugs are in this case? The possible upstream change: Do you think we should start rejecting allowed address pairs with multicast IPs/MAC addresses? Plus I guess a doc update for allowed address pairs api-ref is due...
If needed, I'm happy to bring this to the drivers meeting. It's 100% that I could attend next Friday (6th of March) and 80% for this Friday (27th of February). It does seem like the intention of allowed address pairs was for unicast addresses, so I guess rejecting multicast would be Ok. This is the original spec for history, which only uses unicast addresses in examples [0].
Let me know if you still want to meet tomorrow at drivers meeting. [0] https://github.com/openstack/neutron-specs/blob/master/misc/api/allowed_addr... -Brian
Hi Brian, If we agree that multicast should be rejected by allowed address pairs, I think it is fine to skip this topic for tomorrows drivers meeting. We will propose the necessary change and documentation to make it clear. Thanks for checking Lajos Katona (lajoskatona) Brian Haley <haleyb.dev@gmail.com> ezt írta (időpont: 2026. márc. 5., Cs, 16:35):
Hi Bence,
Sorry for the slow response.
Hi Neutrinos,
We have a user who discovered that two neutron backends behave differently when it comes to handling multicast traffic. This user runs servers that need multicast for VRRP coordination (the point is multicast, not VRRP). They discovered that with the (no longer upstream supported) OpenDaylight backend, they need to let the multicast traffic through with an allowed address
On 2/23/26 6:50 AM, Bence Romsics wrote: pair.
On the other hand, the ml2/ovs backend (here always assuming the ovs firewall driver) allows the multicast traffic by default. If you add the same allowed address pair (for example: {'mac_address': '01:00:5e:00:00:64', 'ip_address': '224.0.0.100'}) as with OpenDaylight, it actually breaks multicast traffic. The traffic breaks even on other servers, affected by the same set of flows installed by ovs-agent.
My question is: which backend behaves correctly? And do we need to change anything upstream?
Since I found the following upstream history...
https://opendev.org/openstack/neutron/src/branch/master/doc/source/admin/con...
https://bugs.launchpad.net/neutron/+bug/1889631
... I believe that ml2/ovs (with the ovs fw driver) behaves correctly when it lets the multicast traffic through by default. However I believe it is a bug that the traffic breaks when the user adds the allowed address pair. But I think it would be pretty pointless to start fixing the traffic itself since we would need to make changes for no effect. Rather we could reject allowed address pairs with multicast IPs/MAC addresses, because that would call the attention of the user that multicast traffic is already handled at a different place (that is the default behavior of the fw driver).
Yes, based on the docs the OVS FW driver is behaving correctly by allowing the multicast traffic.
I also believe that the OpenDaylight driver is buggy when it does not let the multicast traffic through just like ml2/ovs does. However this is not an upstream problem anymore, since networking-odl is long deprecated.
Do you agree in the judgement where the bugs are in this case? The possible upstream change: Do you think we should start rejecting allowed address pairs with multicast IPs/MAC addresses? Plus I guess a doc update for allowed address pairs api-ref is due...
If needed, I'm happy to bring this to the drivers meeting. It's 100% that I could attend next Friday (6th of March) and 80% for this Friday (27th of February). It does seem like the intention of allowed address pairs was for unicast addresses, so I guess rejecting multicast would be Ok. This is the original spec for history, which only uses unicast addresses in examples [0].
Let me know if you still want to meet tomorrow at drivers meeting.
[0]
https://github.com/openstack/neutron-specs/blob/master/misc/api/allowed_addr...
-Brian
Hi Brian, Thank you for your answer! I don't think we need the meeting if we already agree on the direction. Soon I'll create a launchpad ticket to track this and propose changes to: * the allowed_address_pair api to reject non-unicast addresses * docs update to make this clear to our users Thank you, Bence
participants (3)
-
Bence Romsics
-
Brian Haley
-
Lajos Katona