cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mo ...@daoenix.com>
Subject Re: IPv6 ~ Basic Network
Date Sat, 06 Sep 2014 11:16:34 GMT
At this juncture, it's impossible to implement a v6 subnet in basic mode?


On Sat, Sep 6, 2014 at 5:40 AM, Wido den Hollander <wido@widodh.nl> wrote:

>
>
> On 05-09-14 17:18, Nux! wrote:
> > Marcus,
> >
> > It'd be nice to have this in ACS, but seems like there is an appeal to
> have this done sort of outside that. Of course, having IPv6 support in
> basic/sg zones would be ideal.
> >
>
> Indeed. It would be great to have basic IPv6 in the Basic Zones.
>
> > Anyone volunteers to write the code? :)
> >
>
> I'd love to, but I know I'd never get to it (time..). My company is
> looking for a CloudStack developer though. Once we find him this will be
> one of the things he/she will be working on.
>
> Wido
>
> > Lucian
> >
> > --
> > Sent from the Delta quadrant using Borg technology!
> >
> > Nux!
> > www.nux.ro
> >
> >
> > ----- Original Message -----
> >> From: "Marcus" <shadowsor@gmail.com>
> >> To: dev@cloudstack.apache.org
> >> Sent: Friday, 5 September, 2014 4:00:21 PM
> >> Subject: Re: IPv6 ~ Basic Network
> >>
> >> Hey guys, there is a functional spec for ipv6 that was started in the
> >> spring. No code is written as far as I a aware. It might be nice to
> review
> >> that and make changes to keep the spec ready, or just keep track of what
> >> cloudstack is planning so you can stay compatible if/when it lands.
> >> On Sep 5, 2014 7:53 AM, "Wido den Hollander" <wido@widodh.nl> wrote:
> >>
> >>>
> >>>
> >>> On 05-09-14 12:42, Nux! wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> I've been thinking about this and apparently there is a big security
> >>>> problem with this idea, at least my colleagues from the network dept
> tell
> >>>> me so.
> >>>> If you want to use the router autoconfig thingy you must - as per
> current
> >>>> standards - use a /64 on the router interface and this way you expose
> >>>> yourself to a neighbour table attack - the neighbour table in avg
> cisco
> >>>> routers can hold tens of thousands of entries more or less, but it's
> still
> >>>> far from the trillions of addresses in a /64. This may seem far
> fetched
> >>>> but
> >>>> since 512k day, my colleagues don't want to take any more chances. :-)
> >>>>
> >>>
> >>> That only works if you actually spawn thousands of instances in that
> >>> subnet.
> >>>
> >>> One of the things people told me that you could overflow the neighbour
> >>> table by sending packets to bogus IPv6 addresses.
> >>>
> >>> I tried that some weeks ago on a Brocade and Extreme Networks router,
> but
> >>> they both have a system of "valid neighbours" and "pending neighbours".
> >>>
> >>> Only when a neighbour actually responded it goes into the "valid" table
> >>> and otherwise it is kicked out of the "pending" pretty quickly.
> >>>
> >>> I could not overflow any table or make them drop traffic to legitimate
> >>> hosts.
> >>>
> >>>  They recommend to use DHCPv6 instead with far smaller subnets, which
> of
> >>>> course complicates things quite a bit on the cloudstack side...
> >>>>
> >>>>
> >>> Well, we would still need DHCPv6 to hand out additional options like
> DNS,
> >>> but yes. Since with the subnet + MAC you can calculate which IPv6
> address
> >>> the Instance will use based on SLAAC.
> >>>
> >>> We can program that address into the security groups and that's the
> IPv6
> >>> address the guest can use.
> >>>
> >>> Additional IPs is just a matter of generating a address, storing it and
> >>> adding it to the SG.
> >>>
> >>> So Router Advertisements are a very easy option to use.
> >>>
> >>>  Any thoughts?
> >>>>
> >>>> Lucian
> >>>>
> >>>> --
> >>>> Sent from the Delta quadrant using Borg technology!
> >>>>
> >>>> Nux!
> >>>> www.nux.ro
> >>>>
> >>>> ----- Original Message -----
> >>>>
> >>>>> From: "John Kinsella" <jlk@stratosec.co>
> >>>>> To: dev@cloudstack.apache.org
> >>>>> Sent: Wednesday, 20 August, 2014 11:59:27 PM
> >>>>> Subject: Re: IPv6 ~ Basic Network
> >>>>>
> >>>>> Please do - we started tinkering with ipv6 ages ago, never got it
to
> >>>>> production, tho.
> >>>>>
> >>>>> On Aug 20, 2014, at 3:48 PM, Nux! <nux@li.nux.ro> wrote:
> >>>>>
> >>>>>  Thanks Wido for the idea, then. :-)
> >>>>>> I'll gladly share it with you guys should I come up with something
> that
> >>>>>> works.
> >>>>>>
> >>>>>> Lucian
> >>>>>>
> >>>>>> --
> >>>>>> Sent from the Delta quadrant using Borg technology!
> >>>>>>
> >>>>>> Nux!
> >>>>>> www.nux.ro
> >>>>>>
> >>>>>>
> >>>>>> ----- Original Message -----
> >>>>>>
> >>>>>>> From: "Wido den Hollander" <wido@widodh.nl>
> >>>>>>> To: dev@cloudstack.apache.org
> >>>>>>> Sent: Wednesday, 20 August, 2014 9:36:48 PM
> >>>>>>> Subject: Re: IPv6 ~ Basic Network
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> On 08/20/2014 10:07 PM, Nux! wrote:
> >>>>>>>
> >>>>>>>> Wido,
> >>>>>>>>
> >>>>>>>> Can you share your code for this?
> >>>>>>>>
> >>>>>>>>
> >>>>>>> Oh, I don't have any code. The setups I created have plain
IPv6
> without
> >>>>>>> any security grouping.
> >>>>>>>
> >>>>>>> My previous e-mail was just to illustrate what would be
required.
> >>>>>>>
> >>>>>>> Wido
> >>>>>>>
> >>>>>>>  Cheers
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> Sent from the Delta quadrant using Borg technology!
> >>>>>>>>
> >>>>>>>> Nux!
> >>>>>>>> www.nux.ro
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message