Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5C909115D2 for ; Sat, 6 Sep 2014 11:17:00 +0000 (UTC) Received: (qmail 85464 invoked by uid 500); 6 Sep 2014 11:16:59 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 85414 invoked by uid 500); 6 Sep 2014 11:16:59 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 85403 invoked by uid 99); 6 Sep 2014 11:16:59 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 06 Sep 2014 11:16:59 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [209.85.220.169] (HELO mail-vc0-f169.google.com) (209.85.220.169) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 06 Sep 2014 11:16:55 +0000 Received: by mail-vc0-f169.google.com with SMTP id hq11so13758185vcb.28 for ; Sat, 06 Sep 2014 04:16:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=r9tJ/UIAmp+Zz/u4iSnvTLY35M+GLg0wMFAQefs+24I=; b=Wa8tJhlnZaKYs+rKhjMBbQTHTAyPYbIuydr3MniFdbnGiMg9Lu/YM+YFclXgM7Dgh+ 3jw7BlveMT3S4qU9CRRyPA5PjmRn9OsY/duiMQL3glUYGihzkm7pAo0XYvPwazmNMAyP C2ILRK5yHL7iTFYAtFUpSirOX2xiDf21sliEQfXpN/Qt7RZ5iTxp/ecsrrMZwwP1Qg3a pCVvvs9vio8wPrxO2RNlNkXaR7/Y7DkIR2orp5yYP8byTtunnDqgcYCl1vueZEMhI7Vp 1yuxE76ydOvp2xBNoWF8sGHmTKtA6pVnn6mSljWPmbiXvqNXZa7cY7c1g1T59bYRX/3/ MAdA== X-Gm-Message-State: ALoCoQm2FYE5xbixwebziq0FJE0FSuC2YQqCaYNFY0+dTnUacMQPPhykWAClkNyhfmsLOyWuj0Da MIME-Version: 1.0 X-Received: by 10.52.102.204 with SMTP id fq12mr12799112vdb.26.1410002194276; Sat, 06 Sep 2014 04:16:34 -0700 (PDT) Received: by 10.52.34.42 with HTTP; Sat, 6 Sep 2014 04:16:34 -0700 (PDT) In-Reply-To: <540AD69F.10508@widodh.nl> References: <2118507859.75194.1408565227180.JavaMail.zimbra@li.nux.ro> <53F506E0.8010500@widodh.nl> <1461186280.75289.1408574890628.JavaMail.zimbra@li.nux.ro> <51C189B2-FA86-4D85-BAAB-22A549C99E56@stratosec.co> <592303896.11185.1409913774447.JavaMail.zimbra@li.nux.ro> <5409CE4A.2090001@widodh.nl> <1472736952.11606.1409930304537.JavaMail.zimbra@li.nux.ro> <540AD69F.10508@widodh.nl> Date: Sat, 6 Sep 2014 07:16:34 -0400 Message-ID: Subject: Re: IPv6 ~ Basic Network From: Mo To: dev Content-Type: multipart/alternative; boundary=001a1133ee10ec375d050263b75a X-Virus-Checked: Checked by ClamAV on apache.org --001a1133ee10ec375d050263b75a Content-Type: text/plain; charset=UTF-8 At this juncture, it's impossible to implement a v6 subnet in basic mode? On Sat, Sep 6, 2014 at 5:40 AM, Wido den Hollander wrote: > > > On 05-09-14 17:18, Nux! wrote: > > Marcus, > > > > It'd be nice to have this in ACS, but seems like there is an appeal to > have this done sort of outside that. Of course, having IPv6 support in > basic/sg zones would be ideal. > > > > Indeed. It would be great to have basic IPv6 in the Basic Zones. > > > Anyone volunteers to write the code? :) > > > > I'd love to, but I know I'd never get to it (time..). My company is > looking for a CloudStack developer though. Once we find him this will be > one of the things he/she will be working on. > > Wido > > > Lucian > > > > -- > > Sent from the Delta quadrant using Borg technology! > > > > Nux! > > www.nux.ro > > > > > > ----- Original Message ----- > >> From: "Marcus" > >> To: dev@cloudstack.apache.org > >> Sent: Friday, 5 September, 2014 4:00:21 PM > >> Subject: Re: IPv6 ~ Basic Network > >> > >> Hey guys, there is a functional spec for ipv6 that was started in the > >> spring. No code is written as far as I a aware. It might be nice to > review > >> that and make changes to keep the spec ready, or just keep track of what > >> cloudstack is planning so you can stay compatible if/when it lands. > >> On Sep 5, 2014 7:53 AM, "Wido den Hollander" wrote: > >> > >>> > >>> > >>> On 05-09-14 12:42, Nux! wrote: > >>> > >>>> Hi, > >>>> > >>>> I've been thinking about this and apparently there is a big security > >>>> problem with this idea, at least my colleagues from the network dept > tell > >>>> me so. > >>>> If you want to use the router autoconfig thingy you must - as per > current > >>>> standards - use a /64 on the router interface and this way you expose > >>>> yourself to a neighbour table attack - the neighbour table in avg > cisco > >>>> routers can hold tens of thousands of entries more or less, but it's > still > >>>> far from the trillions of addresses in a /64. This may seem far > fetched > >>>> but > >>>> since 512k day, my colleagues don't want to take any more chances. :-) > >>>> > >>> > >>> That only works if you actually spawn thousands of instances in that > >>> subnet. > >>> > >>> One of the things people told me that you could overflow the neighbour > >>> table by sending packets to bogus IPv6 addresses. > >>> > >>> I tried that some weeks ago on a Brocade and Extreme Networks router, > but > >>> they both have a system of "valid neighbours" and "pending neighbours". > >>> > >>> Only when a neighbour actually responded it goes into the "valid" table > >>> and otherwise it is kicked out of the "pending" pretty quickly. > >>> > >>> I could not overflow any table or make them drop traffic to legitimate > >>> hosts. > >>> > >>> They recommend to use DHCPv6 instead with far smaller subnets, which > of > >>>> course complicates things quite a bit on the cloudstack side... > >>>> > >>>> > >>> Well, we would still need DHCPv6 to hand out additional options like > DNS, > >>> but yes. Since with the subnet + MAC you can calculate which IPv6 > address > >>> the Instance will use based on SLAAC. > >>> > >>> We can program that address into the security groups and that's the > IPv6 > >>> address the guest can use. > >>> > >>> Additional IPs is just a matter of generating a address, storing it and > >>> adding it to the SG. > >>> > >>> So Router Advertisements are a very easy option to use. > >>> > >>> Any thoughts? > >>>> > >>>> Lucian > >>>> > >>>> -- > >>>> Sent from the Delta quadrant using Borg technology! > >>>> > >>>> Nux! > >>>> www.nux.ro > >>>> > >>>> ----- Original Message ----- > >>>> > >>>>> From: "John Kinsella" > >>>>> To: dev@cloudstack.apache.org > >>>>> Sent: Wednesday, 20 August, 2014 11:59:27 PM > >>>>> Subject: Re: IPv6 ~ Basic Network > >>>>> > >>>>> Please do - we started tinkering with ipv6 ages ago, never got it to > >>>>> production, tho. > >>>>> > >>>>> On Aug 20, 2014, at 3:48 PM, Nux! wrote: > >>>>> > >>>>> Thanks Wido for the idea, then. :-) > >>>>>> I'll gladly share it with you guys should I come up with something > that > >>>>>> works. > >>>>>> > >>>>>> Lucian > >>>>>> > >>>>>> -- > >>>>>> Sent from the Delta quadrant using Borg technology! > >>>>>> > >>>>>> Nux! > >>>>>> www.nux.ro > >>>>>> > >>>>>> > >>>>>> ----- Original Message ----- > >>>>>> > >>>>>>> From: "Wido den Hollander" > >>>>>>> To: dev@cloudstack.apache.org > >>>>>>> Sent: Wednesday, 20 August, 2014 9:36:48 PM > >>>>>>> Subject: Re: IPv6 ~ Basic Network > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> On 08/20/2014 10:07 PM, Nux! wrote: > >>>>>>> > >>>>>>>> Wido, > >>>>>>>> > >>>>>>>> Can you share your code for this? > >>>>>>>> > >>>>>>>> > >>>>>>> Oh, I don't have any code. The setups I created have plain IPv6 > without > >>>>>>> any security grouping. > >>>>>>> > >>>>>>> My previous e-mail was just to illustrate what would be required. > >>>>>>> > >>>>>>> Wido > >>>>>>> > >>>>>>> Cheers > >>>>>>>> > >>>>>>>> -- > >>>>>>>> Sent from the Delta quadrant using Borg technology! > >>>>>>>> > >>>>>>>> Nux! > >>>>>>>> www.nux.ro > >>>>>>>> > >>>>>>>> > >>>>>>> > >>>>> > >>>>> > >>>>> > >> > --001a1133ee10ec375d050263b75a--