Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9DFE611259 for ; Fri, 5 Sep 2014 14:53:25 +0000 (UTC) Received: (qmail 3421 invoked by uid 500); 5 Sep 2014 14:53:25 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 3376 invoked by uid 500); 5 Sep 2014 14:53:25 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 3360 invoked by uid 99); 5 Sep 2014 14:53:24 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 05 Sep 2014 14:53:24 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [109.72.87.137] (HELO smtp01.mail.pcextreme.nl) (109.72.87.137) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 05 Sep 2014 14:53:20 +0000 Received: from [IPv6:2a02:f6e:8007:0:4d49:ec9b:e68a:4184] (unknown [IPv6:2a02:f6e:8007:0:4d49:ec9b:e68a:4184]) by smtp01.mail.pcextreme.nl (Postfix) with ESMTPA id 837B676267 for ; Fri, 5 Sep 2014 16:52:58 +0200 (CEST) Message-ID: <5409CE4A.2090001@widodh.nl> Date: Fri, 05 Sep 2014 16:52:58 +0200 From: Wido den Hollander User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: dev@cloudstack.apache.org Subject: Re: IPv6 ~ Basic Network References: <53F3A512.3020109@widodh.nl> <1490224422.74944.1408549577964.JavaMail.zimbra@li.nux.ro> <53F4FFDB.3010807@widodh.nl> <2118507859.75194.1408565227180.JavaMail.zimbra@li.nux.ro> <53F506E0.8010500@widodh.nl> <1461186280.75289.1408574890628.JavaMail.zimbra@li.nux.ro> <51C189B2-FA86-4D85-BAAB-22A549C99E56@stratosec.co> <592303896.11185.1409913774447.JavaMail.zimbra@li.nux.ro> In-Reply-To: <592303896.11185.1409913774447.JavaMail.zimbra@li.nux.ro> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On 05-09-14 12:42, Nux! wrote: > Hi, > > I've been thinking about this and apparently there is a big security problem with this idea, at least my colleagues from the network dept tell me so. > If you want to use the router autoconfig thingy you must - as per current standards - use a /64 on the router interface and this way you expose yourself to a neighbour table attack - the neighbour table in avg cisco routers can hold tens of thousands of entries more or less, but it's still far from the trillions of addresses in a /64. This may seem far fetched but since 512k day, my colleagues don't want to take any more chances. :-) That only works if you actually spawn thousands of instances in that subnet. One of the things people told me that you could overflow the neighbour table by sending packets to bogus IPv6 addresses. I tried that some weeks ago on a Brocade and Extreme Networks router, but they both have a system of "valid neighbours" and "pending neighbours". Only when a neighbour actually responded it goes into the "valid" table and otherwise it is kicked out of the "pending" pretty quickly. I could not overflow any table or make them drop traffic to legitimate hosts. > They recommend to use DHCPv6 instead with far smaller subnets, which of course complicates things quite a bit on the cloudstack side... > Well, we would still need DHCPv6 to hand out additional options like DNS, but yes. Since with the subnet + MAC you can calculate which IPv6 address the Instance will use based on SLAAC. We can program that address into the security groups and that's the IPv6 address the guest can use. Additional IPs is just a matter of generating a address, storing it and adding it to the SG. So Router Advertisements are a very easy option to use. > Any thoughts? > > Lucian > > -- > Sent from the Delta quadrant using Borg technology! > > Nux! > www.nux.ro > > ----- Original Message ----- >> From: "John Kinsella" >> To: dev@cloudstack.apache.org >> Sent: Wednesday, 20 August, 2014 11:59:27 PM >> Subject: Re: IPv6 ~ Basic Network >> >> Please do - we started tinkering with ipv6 ages ago, never got it to >> production, tho. >> >> On Aug 20, 2014, at 3:48 PM, Nux! wrote: >> >>> Thanks Wido for the idea, then. :-) >>> I'll gladly share it with you guys should I come up with something that >>> works. >>> >>> Lucian >>> >>> -- >>> Sent from the Delta quadrant using Borg technology! >>> >>> Nux! >>> www.nux.ro >>> >>> >>> ----- Original Message ----- >>>> From: "Wido den Hollander" >>>> To: dev@cloudstack.apache.org >>>> Sent: Wednesday, 20 August, 2014 9:36:48 PM >>>> Subject: Re: IPv6 ~ Basic Network >>>> >>>> >>>> >>>> On 08/20/2014 10:07 PM, Nux! wrote: >>>>> Wido, >>>>> >>>>> Can you share your code for this? >>>>> >>>> >>>> Oh, I don't have any code. The setups I created have plain IPv6 without >>>> any security grouping. >>>> >>>> My previous e-mail was just to illustrate what would be required. >>>> >>>> Wido >>>> >>>>> Cheers >>>>> >>>>> -- >>>>> Sent from the Delta quadrant using Borg technology! >>>>> >>>>> Nux! >>>>> www.nux.ro >>>>> >>>> >> >> >>