cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcus <shadow...@gmail.com>
Subject Re: IPv6 ~ Basic Network
Date Fri, 05 Sep 2014 15:00:21 GMT
Hey guys, there is a functional spec for ipv6 that was started in the
spring. No code is written as far as I a aware. It might be nice to review
that and make changes to keep the spec ready, or just keep track of what
cloudstack is planning so you can stay compatible if/when it lands.
On Sep 5, 2014 7:53 AM, "Wido den Hollander" <wido@widodh.nl> wrote:

>
>
> On 05-09-14 12:42, Nux! wrote:
>
>> Hi,
>>
>> I've been thinking about this and apparently there is a big security
>> problem with this idea, at least my colleagues from the network dept tell
>> me so.
>> If you want to use the router autoconfig thingy you must - as per current
>> standards - use a /64 on the router interface and this way you expose
>> yourself to a neighbour table attack - the neighbour table in avg cisco
>> routers can hold tens of thousands of entries more or less, but it's still
>> far from the trillions of addresses in a /64. This may seem far fetched but
>> since 512k day, my colleagues don't want to take any more chances. :-)
>>
>
> That only works if you actually spawn thousands of instances in that
> subnet.
>
> One of the things people told me that you could overflow the neighbour
> table by sending packets to bogus IPv6 addresses.
>
> I tried that some weeks ago on a Brocade and Extreme Networks router, but
> they both have a system of "valid neighbours" and "pending neighbours".
>
> Only when a neighbour actually responded it goes into the "valid" table
> and otherwise it is kicked out of the "pending" pretty quickly.
>
> I could not overflow any table or make them drop traffic to legitimate
> hosts.
>
>  They recommend to use DHCPv6 instead with far smaller subnets, which of
>> course complicates things quite a bit on the cloudstack side...
>>
>>
> Well, we would still need DHCPv6 to hand out additional options like DNS,
> but yes. Since with the subnet + MAC you can calculate which IPv6 address
> the Instance will use based on SLAAC.
>
> We can program that address into the security groups and that's the IPv6
> address the guest can use.
>
> Additional IPs is just a matter of generating a address, storing it and
> adding it to the SG.
>
> So Router Advertisements are a very easy option to use.
>
>  Any thoughts?
>>
>> Lucian
>>
>> --
>> Sent from the Delta quadrant using Borg technology!
>>
>> Nux!
>> www.nux.ro
>>
>> ----- Original Message -----
>>
>>> From: "John Kinsella" <jlk@stratosec.co>
>>> To: dev@cloudstack.apache.org
>>> Sent: Wednesday, 20 August, 2014 11:59:27 PM
>>> Subject: Re: IPv6 ~ Basic Network
>>>
>>> Please do - we started tinkering with ipv6 ages ago, never got it to
>>> production, tho.
>>>
>>> On Aug 20, 2014, at 3:48 PM, Nux! <nux@li.nux.ro> wrote:
>>>
>>>  Thanks Wido for the idea, then. :-)
>>>> I'll gladly share it with you guys should I come up with something that
>>>> works.
>>>>
>>>> Lucian
>>>>
>>>> --
>>>> Sent from the Delta quadrant using Borg technology!
>>>>
>>>> Nux!
>>>> www.nux.ro
>>>>
>>>>
>>>> ----- Original Message -----
>>>>
>>>>> From: "Wido den Hollander" <wido@widodh.nl>
>>>>> To: dev@cloudstack.apache.org
>>>>> Sent: Wednesday, 20 August, 2014 9:36:48 PM
>>>>> Subject: Re: IPv6 ~ Basic Network
>>>>>
>>>>>
>>>>>
>>>>> On 08/20/2014 10:07 PM, Nux! wrote:
>>>>>
>>>>>> Wido,
>>>>>>
>>>>>> Can you share your code for this?
>>>>>>
>>>>>>
>>>>> Oh, I don't have any code. The setups I created have plain IPv6 without
>>>>> any security grouping.
>>>>>
>>>>> My previous e-mail was just to illustrate what would be required.
>>>>>
>>>>> Wido
>>>>>
>>>>>  Cheers
>>>>>>
>>>>>> --
>>>>>> Sent from the Delta quadrant using Borg technology!
>>>>>>
>>>>>> Nux!
>>>>>> www.nux.ro
>>>>>>
>>>>>>
>>>>>
>>>
>>>
>>>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message