ovn-kubernetes icon indicating copy to clipboard operation
ovn-kubernetes copied to clipboard

Published 20 hours ago verified publisher icon ovn-org

Ensure unexpected UDN traffic is dropped in the external OVS bridge.

Open dceara opened this issue 6 months ago • 0 comments

What would you like to be added?

All traffic originated by an UDN (on the OVS patch port connecting the UDN OVN topology with br-ex) must come from the UDN's masquerade IP (169.254.19.0/17).

No traffic is expected from other source IPs. If (due to a bug, for example) such traffic is detected on the UDN's patch port, it should be dropped.

Context: https://github.com/ovn-org/ovn-kubernetes/pull/4557#discussion_r1716174564

Why is this needed?

Hardening of packet processing pipeline for user defined network segmentation.

dceara avatar Aug 15 '24 16:08 dceara