Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 173ED112AF for ; Fri, 5 Sep 2014 15:00:47 +0000 (UTC) Received: (qmail 20595 invoked by uid 500); 5 Sep 2014 15:00:46 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 20547 invoked by uid 500); 5 Sep 2014 15:00:46 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 20529 invoked by uid 99); 5 Sep 2014 15:00:46 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 05 Sep 2014 15:00:46 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of shadowsor@gmail.com designates 209.85.220.172 as permitted sender) Received: from [209.85.220.172] (HELO mail-vc0-f172.google.com) (209.85.220.172) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 05 Sep 2014 15:00:42 +0000 Received: by mail-vc0-f172.google.com with SMTP id le20so1094923vcb.31 for ; Fri, 05 Sep 2014 08:00:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=DYpdMYh6lp0Mmrh+PYJmsRdYL7g4gLTtD2UKQ7nI5t4=; b=kOcT+3G9goSIrFjBT3agTndFXQw0kmwfy+GmS84MWfNHhI1P53o+BbLzT8TVoB7RhJ ytbduO12LwdBt0NptJQSn8K9ls9DKY+IWz19Ca+4FBDuzOvj2fumAAWowmK2kK+Pqn0H eaa0wI/kbnpIwYUJS+hgRAJbaGwD5f1pW8nYuN4xneVHBvoLVM6bAYw1Gdu+k2wfEAhp v3EvLc0vCUFmKfNxexFPCPCop11E/f+n9nzem4Y/dwdyWFwwUkvNC1W0okjGFX8QEpsE xhS2maaG2JZe4i6Go+QFzcO4G3cYnpsCY6qzrJxoCspRdpgdWbXEtUpm3+n9IpwWyT7R mUsQ== MIME-Version: 1.0 X-Received: by 10.52.255.232 with SMTP id at8mr9309056vdd.4.1409929221307; Fri, 05 Sep 2014 08:00:21 -0700 (PDT) Received: by 10.52.78.33 with HTTP; Fri, 5 Sep 2014 08:00:21 -0700 (PDT) Received: by 10.52.78.33 with HTTP; Fri, 5 Sep 2014 08:00:21 -0700 (PDT) In-Reply-To: <5409CE4A.2090001@widodh.nl> References: <53F3A512.3020109@widodh.nl> <1490224422.74944.1408549577964.JavaMail.zimbra@li.nux.ro> <53F4FFDB.3010807@widodh.nl> <2118507859.75194.1408565227180.JavaMail.zimbra@li.nux.ro> <53F506E0.8010500@widodh.nl> <1461186280.75289.1408574890628.JavaMail.zimbra@li.nux.ro> <51C189B2-FA86-4D85-BAAB-22A549C99E56@stratosec.co> <592303896.11185.1409913774447.JavaMail.zimbra@li.nux.ro> <5409CE4A.2090001@widodh.nl> Date: Fri, 5 Sep 2014 09:00:21 -0600 Message-ID: Subject: Re: IPv6 ~ Basic Network From: Marcus To: dev@cloudstack.apache.org Content-Type: multipart/alternative; boundary=001a1134df90650503050252ba48 X-Virus-Checked: Checked by ClamAV on apache.org --001a1134df90650503050252ba48 Content-Type: text/plain; charset=UTF-8 Hey guys, there is a functional spec for ipv6 that was started in the spring. No code is written as far as I a aware. It might be nice to review that and make changes to keep the spec ready, or just keep track of what cloudstack is planning so you can stay compatible if/when it lands. On Sep 5, 2014 7:53 AM, "Wido den Hollander" wrote: > > > On 05-09-14 12:42, Nux! wrote: > >> Hi, >> >> I've been thinking about this and apparently there is a big security >> problem with this idea, at least my colleagues from the network dept tell >> me so. >> If you want to use the router autoconfig thingy you must - as per current >> standards - use a /64 on the router interface and this way you expose >> yourself to a neighbour table attack - the neighbour table in avg cisco >> routers can hold tens of thousands of entries more or less, but it's still >> far from the trillions of addresses in a /64. This may seem far fetched but >> since 512k day, my colleagues don't want to take any more chances. :-) >> > > That only works if you actually spawn thousands of instances in that > subnet. > > One of the things people told me that you could overflow the neighbour > table by sending packets to bogus IPv6 addresses. > > I tried that some weeks ago on a Brocade and Extreme Networks router, but > they both have a system of "valid neighbours" and "pending neighbours". > > Only when a neighbour actually responded it goes into the "valid" table > and otherwise it is kicked out of the "pending" pretty quickly. > > I could not overflow any table or make them drop traffic to legitimate > hosts. > > They recommend to use DHCPv6 instead with far smaller subnets, which of >> course complicates things quite a bit on the cloudstack side... >> >> > Well, we would still need DHCPv6 to hand out additional options like DNS, > but yes. Since with the subnet + MAC you can calculate which IPv6 address > the Instance will use based on SLAAC. > > We can program that address into the security groups and that's the IPv6 > address the guest can use. > > Additional IPs is just a matter of generating a address, storing it and > adding it to the SG. > > So Router Advertisements are a very easy option to use. > > Any thoughts? >> >> Lucian >> >> -- >> Sent from the Delta quadrant using Borg technology! >> >> Nux! >> www.nux.ro >> >> ----- Original Message ----- >> >>> From: "John Kinsella" >>> To: dev@cloudstack.apache.org >>> Sent: Wednesday, 20 August, 2014 11:59:27 PM >>> Subject: Re: IPv6 ~ Basic Network >>> >>> Please do - we started tinkering with ipv6 ages ago, never got it to >>> production, tho. >>> >>> On Aug 20, 2014, at 3:48 PM, Nux! wrote: >>> >>> Thanks Wido for the idea, then. :-) >>>> I'll gladly share it with you guys should I come up with something that >>>> works. >>>> >>>> Lucian >>>> >>>> -- >>>> Sent from the Delta quadrant using Borg technology! >>>> >>>> Nux! >>>> www.nux.ro >>>> >>>> >>>> ----- Original Message ----- >>>> >>>>> From: "Wido den Hollander" >>>>> To: dev@cloudstack.apache.org >>>>> Sent: Wednesday, 20 August, 2014 9:36:48 PM >>>>> Subject: Re: IPv6 ~ Basic Network >>>>> >>>>> >>>>> >>>>> On 08/20/2014 10:07 PM, Nux! wrote: >>>>> >>>>>> Wido, >>>>>> >>>>>> Can you share your code for this? >>>>>> >>>>>> >>>>> Oh, I don't have any code. The setups I created have plain IPv6 without >>>>> any security grouping. >>>>> >>>>> My previous e-mail was just to illustrate what would be required. >>>>> >>>>> Wido >>>>> >>>>> Cheers >>>>>> >>>>>> -- >>>>>> Sent from the Delta quadrant using Borg technology! >>>>>> >>>>>> Nux! >>>>>> www.nux.ro >>>>>> >>>>>> >>>>> >>> >>> >>> --001a1134df90650503050252ba48--