Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cloudstack.apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Message-ID: <540AD69F.10508@widodh.nl>
Date: Sat, 06 Sep 2014 11:40:47 +0200
From: Wido den Hollander <wido@widodh.nl>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: dev@cloudstack.apache.org
Subject: Re: IPv6 ~ Basic Network
References: 
 <CAF1jPWfDFsOpU0FpD29LXq3eHvwSGxm3i6MG3ksBwKQH-2LsHw@mail.gmail.com>
 <2118507859.75194.1408565227180.JavaMail.zimbra@li.nux.ro>
 <53F506E0.8010500@widodh.nl>
 <1461186280.75289.1408574890628.JavaMail.zimbra@li.nux.ro>
 <51C189B2-FA86-4D85-BAAB-22A549C99E56@stratosec.co>
 <592303896.11185.1409913774447.JavaMail.zimbra@li.nux.ro>
 <5409CE4A.2090001@widodh.nl>
 <CALFpzo6TZ0_=xJVY1K6CHKJc8i=VX2_87CzpzGqdbtubt6hV1w@mail.gmail.com>
 <1472736952.11606.1409930304537.JavaMail.zimbra@li.nux.ro>
In-Reply-To: <1472736952.11606.1409930304537.JavaMail.zimbra@li.nux.ro>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


On 05-09-14 17:18, Nux! wrote:
> Marcus,
> 
> It'd be nice to have this in ACS, but seems like there is an appeal to have this done sort of outside that. Of course, having IPv6 support in basic/sg zones would be ideal.
> 

Indeed. It would be great to have basic IPv6 in the Basic Zones.

> Anyone volunteers to write the code? :)
> 

I'd love to, but I know I'd never get to it (time..). My company is
looking for a CloudStack developer though. Once we find him this will be
one of the things he/she will be working on.

Wido

> Lucian
> 
> --
> Sent from the Delta quadrant using Borg technology!
> 
> Nux!
> www.nux.ro
> 
> 
> ----- Original Message -----
>> From: "Marcus" <shadowsor@gmail.com>
>> To: dev@cloudstack.apache.org
>> Sent: Friday, 5 September, 2014 4:00:21 PM
>> Subject: Re: IPv6 ~ Basic Network
>>
>> Hey guys, there is a functional spec for ipv6 that was started in the
>> spring. No code is written as far as I a aware. It might be nice to review
>> that and make changes to keep the spec ready, or just keep track of what
>> cloudstack is planning so you can stay compatible if/when it lands.
>> On Sep 5, 2014 7:53 AM, "Wido den Hollander" <wido@widodh.nl> wrote:
>>
>>>
>>>
>>> On 05-09-14 12:42, Nux! wrote:
>>>
>>>> Hi,
>>>>
>>>> I've been thinking about this and apparently there is a big security
>>>> problem with this idea, at least my colleagues from the network dept tell
>>>> me so.
>>>> If you want to use the router autoconfig thingy you must - as per current
>>>> standards - use a /64 on the router interface and this way you expose
>>>> yourself to a neighbour table attack - the neighbour table in avg cisco
>>>> routers can hold tens of thousands of entries more or less, but it's still
>>>> far from the trillions of addresses in a /64. This may seem far fetched
>>>> but
>>>> since 512k day, my colleagues don't want to take any more chances. :-)
>>>>
>>>
>>> That only works if you actually spawn thousands of instances in that
>>> subnet.
>>>
>>> One of the things people told me that you could overflow the neighbour
>>> table by sending packets to bogus IPv6 addresses.
>>>
>>> I tried that some weeks ago on a Brocade and Extreme Networks router, but
>>> they both have a system of "valid neighbours" and "pending neighbours".
>>>
>>> Only when a neighbour actually responded it goes into the "valid" table
>>> and otherwise it is kicked out of the "pending" pretty quickly.
>>>
>>> I could not overflow any table or make them drop traffic to legitimate
>>> hosts.
>>>
>>>  They recommend to use DHCPv6 instead with far smaller subnets, which of
>>>> course complicates things quite a bit on the cloudstack side...
>>>>
>>>>
>>> Well, we would still need DHCPv6 to hand out additional options like DNS,
>>> but yes. Since with the subnet + MAC you can calculate which IPv6 address
>>> the Instance will use based on SLAAC.
>>>
>>> We can program that address into the security groups and that's the IPv6
>>> address the guest can use.
>>>
>>> Additional IPs is just a matter of generating a address, storing it and
>>> adding it to the SG.
>>>
>>> So Router Advertisements are a very easy option to use.
>>>
>>>  Any thoughts?
>>>>
>>>> Lucian
>>>>
>>>> --
>>>> Sent from the Delta quadrant using Borg technology!
>>>>
>>>> Nux!
>>>> www.nux.ro
>>>>
>>>> ----- Original Message -----
>>>>
>>>>> From: "John Kinsella" <jlk@stratosec.co>
>>>>> To: dev@cloudstack.apache.org
>>>>> Sent: Wednesday, 20 August, 2014 11:59:27 PM
>>>>> Subject: Re: IPv6 ~ Basic Network
>>>>>
>>>>> Please do - we started tinkering with ipv6 ages ago, never got it to
>>>>> production, tho.
>>>>>
>>>>> On Aug 20, 2014, at 3:48 PM, Nux! <nux@li.nux.ro> wrote:
>>>>>
>>>>>  Thanks Wido for the idea, then. :-)
>>>>>> I'll gladly share it with you guys should I come up with something that
>>>>>> works.
>>>>>>
>>>>>> Lucian
>>>>>>
>>>>>> --
>>>>>> Sent from the Delta quadrant using Borg technology!
>>>>>>
>>>>>> Nux!
>>>>>> www.nux.ro
>>>>>>
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>
>>>>>>> From: "Wido den Hollander" <wido@widodh.nl>
>>>>>>> To: dev@cloudstack.apache.org
>>>>>>> Sent: Wednesday, 20 August, 2014 9:36:48 PM
>>>>>>> Subject: Re: IPv6 ~ Basic Network
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 08/20/2014 10:07 PM, Nux! wrote:
>>>>>>>
>>>>>>>> Wido,
>>>>>>>>
>>>>>>>> Can you share your code for this?
>>>>>>>>
>>>>>>>>
>>>>>>> Oh, I don't have any code. The setups I created have plain IPv6 without
>>>>>>> any security grouping.
>>>>>>>
>>>>>>> My previous e-mail was just to illustrate what would be required.
>>>>>>>
>>>>>>> Wido
>>>>>>>
>>>>>>>  Cheers
>>>>>>>>
>>>>>>>> --
>>>>>>>> Sent from the Delta quadrant using Borg technology!
>>>>>>>>
>>>>>>>> Nux!
>>>>>>>> www.nux.ro
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>>>
>>