[Openstack-security] Neutron: ARP responder and L-2 population

Adam Heczko aheczko at mirantis.com
Mon Jul 20 09:57:13 UTC 2015


Hi Anshul, I believe that both of these parameters are useful in DVR
scenario.
These parameters are more related to DVR virtual router functionality
rather than to underlay/physical network architecture.
In regards to DoS attack mitigation, I'm not sure if OpenStack has any
functionality related.
I believe that some metering and stats provided by Ceilometer might be
useful for this purpose, but for as of now, DoS prevention is usually
managed by external to OpenStack means (provider's network layer).
That's my understanding, please correct me if I'm wrong.

Regards,

Adam

On Mon, Jul 20, 2015 at 5:53 AM, Anshul Arora (akarora) <akarora at cisco.com>
wrote:

>  Folks,
>
>
>
> I’ve a query related to APR configuration options and/or general OpenStack
> solution out of the box for DoS attacks.
>
>
>
> In the Neutron plugin.ini file, there are two parameters : L2 population
> and ARP responder. Based on the documentation it’s not clear in which “use
> cases” these parameters are mandatory. For e.g. is it that VLAN/GRE
> configuration ? or VLAN based implementation? or both? must be configured
> with ARP responder to prevent broadcast storms?
>
>
>
> The confusion kicks in because ARP responder is an optional parameter that
> is turned off by default.
>
>
>
> Thanks,
>
> -Anshul
>
>
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
>


-- 
Adam Heczko
Security Engineer @ Mirantis Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20150720/fbe8ac9b/attachment.html>


More information about the Openstack-security mailing list