2

I am starting to learn SDN with ovs-ofctl and mininet, and I am configuring a switch following some tutorials, but there's something I don't catch.

When I start my topology with:

sudo mn --topo single,2 --controller remote --switch ovsk

Now if I want to add a simple flow between h1 and h5, I do:

sh ovs-ofctl add-flow s1 in_port=1,actions=output:2
sh ovs-ofctl add-flow s1 in_port=2,actions=output:1

And if I test the connectivity between hosts all is ok.

But now, deleting all flows, if I try:

sh ovs-ofctl add-flow s1 in_port=1,dl_type=0x806,nw_dst=10.0.0.2,actions=output:2
sh ovs-ofctl add-flow s1 in_port=2,dl_type=0x806,nw_dst=10.0.0.1,actions=output:1

Now if I try to ping, there is no reachability, but if I execute:

sh ovs-ofctl add-flow s1 action=NORMAL

Now I can ping again between hosts.

What am I missing here? Specifying dl_type=0x806 in the command is not enough to allow only ethernet using ARP traffic? Why ping fails there?

juan carlos
  • 184
  • 1
  • 11
  • 1
    because ping is ICMP. ping sends ICMP echo requests and responses, each of which is carried inside an IP header. If you only allow ARP, nothing else will pass through. [here](https://www.hacking.reviews/2017/10/understanding-guide-to-icmp-protocol.html?m=1) is a guide to ICMP. – Effie Dec 12 '21 at 14:27
  • 1
    if you filter by dl-type = 0x806 (ARP), you are only allowing ARP traffic. No other Ethernet packets can pass. – Effie Dec 12 '21 at 14:30
  • Wow, thank you for the link, very helpful lecture. I inspected the net with Wireshark pinging from h2 to 10.0.0.1 (h1) and I've seen that in fact ICMP requests are send, and an ARP request asking for the MAC address is sent, getting response from 10.0.0.1 with the MAC address, but because ICMP are not allowed then the response from h1 never reach h2. – juan carlos Dec 13 '21 at 10:31
  • @Effie But I have a last question, why if I set the `action=NORMAL` in s1 then ping doesn't fail? I am a bit confused here, because I've configured hosts to only allow ARP traffic but after this last command then ICMP requests pass. – juan carlos Dec 13 '21 at 10:33
  • 1
    i am not familiar with ovs in detail. from what I understand from [here](https://www.openvswitch.org/support/dist-docs-2.5/tutorial/Tutorial.md.html), action normal makes all flows being processed by a "normal" linux bridge, and this bridge is capable of doing basic network processing, like forwarding ICMP packets. – Effie Dec 13 '21 at 11:24
  • @Effie Thank you for the answer. So it seems like if you configure it as normal, doesn't matter that you configured the flows to only allow ARP traffic, and will allow all. If you want to turn your comments into an answer I will accept it as solution. – juan carlos Dec 13 '21 at 11:50
  • I am actually not sure, But if you execute exactly this command: "sh ovs-ofctl add-flow s1 action=NORMAL" does not have any match part, so it should match every packet. – Effie Dec 13 '21 at 13:56

1 Answers1

1

I think the main reason is a confusion between all involved protocols.

(1) Ping is done using ICMP, in particular ICMP echo request and ICMP echo reply messages. These messages are encapsulated in IP packets, which are in turn encapsulated in it Ethernet packets. In this case Ethernet next header field (i think it is actually called ethertype in general and dl_type here) is set to IP, which is 0x0800.

A more in-depth guide on how to read ICMP packets in wireshark can be found here.

(2) ARP is necessary for end-systems to match IP addresses to MAC addresses. ARP is encapsulated directly into Ethernet frames, where ethernet next header is set to value 0x806

Thus

sh ovs-ofctl add-flow s1 in_port=1,dl_type=0x806,nw_dst=10.0.0.2,actions=output:2

will allow only ARP packets to pass through, while dropping every non-ARP ethernet frame. Thus ping packets are being dropped.

(3) The last question is why this works.

sh ovs-ofctl add-flow s1 action=NORMAL

I am not familiar with the details of OVS. From what I understand from here, action=NORMAL will make OVS act as a normal linux bridge, which does normal ethernet bridge operation, which involves forwarding all frames based on normal MAC learning rules.

Also, since there is no match part in this rule, it should match every packet. I do not know how this one would work.

sh ovs-ofctl add-flow s1 in_port=1,dl_type=0x806,nw_dst=10.0.0.2,actions=NORMAL

(4) This reference has a table at the bottom, which lists openflow rules to match common network protocols.

Effie
  • 758
  • 5
  • 15