cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nux! <...@li.nux.ro>
Subject Re: IPv6 ideas for Basic Networking
Date Sat, 30 May 2015 23:38:23 GMT
Good work guys, sorry could not attend.

Can I stress people about also making this work in ADV zone + SG?

Lucian

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
> From: "Wido den Hollander" <wido@widodh.nl>
> To: dev@cloudstack.apache.org
> Sent: Thursday, 21 May, 2015 19:59:34
> Subject: IPv6 ideas for Basic Networking

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> After the EU User Group meetup in London today I sat down with Rohit,
> John Burwell and some other people and I wanted to ventilate the ideas
> we/I came up with for IPv6 in BASIC networking.
> 
> 
> (IPv6) routers should send out RAs (Router Advertisements) with the
> managed-other-flag [0][1], telling Instances to ONLY use that routers
> as their default gateways and NOT to use SLAAC to autoconfigure their
> IP-Address.
> 
> The management server should be told that a specific subnet can be
> used within a pod, eg a /64.
> 
> When a new IPv6 Address is requested the management server generates a
> random new address in that subnet and checks if no duplicate exists.
> If not, it stores the /128 (single IP) in the MySQL database and
> configures the DHCPv6 server on the Virtual Router (VR).
> 
> When the Instance boots it knowns that due to the "managed other flag"
> in the RA that it should query DHCPv6 for acquiring a IPv6 address.
> 
> The VR responds to the DHCPv6 request with a IPv6 address, DNS
> servers, domain and maybe a NTP server.
> 
> We ONLY store addresses we handed out, not with IPv4 where we store
> every address. A address NOT stored in the database means it's not
> handed out.
> 
> The (ip6tables) Security Groups should allow ICMPv6 by default. IPv6
> traffic breaks really hard without ICMPv6 traffic, for example PMTU
> doesn't work properly and breaks IPv6 connections.
> 
> In CloudStack we might configure a /48, but tell it to hand out
> addresses for each instance from a /64 out of that /48. That means we
> can have 65k Instances in that pod. Some firewall policies block a
> complete /64 when they see malicious traffic coming from that subnet,
> so if the subnet is big enough we should try to keep all the IPv6
> addresses from one Instance in the same /64 subnet. This could also
> simplify the iptable rules.
> 
> To use this seems like a simple, but robust solution. The real
> hardware routers do all the traffic forwarding and the VR only does
> DHCPv6.
> 
> Security grouping has to be extended to also support IPv6, but should
> allow ICMPv6 by default.
> 
> At the end of June 2015 we want to keep a one-day meetup in Amsterdam
> with various developers to discuss some more details.
> 
> Wido
> 
> [0]: https://www.ietf.org/rfc/rfc5075.txt
> [1]: https://www.ietf.org/rfc/rfc4861.txt
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> 
> iQIcBAEBAgAGBQJVXisUAAoJEAGbWC3bPspCvTcQAJ09PKqwhhjGqF1TmpyfLKGE
> Aup7qDQsHlGn4tnl09OIOoJo4RC2WMGV4d93jO3q1IM6moMNWMNrtOWqLrIhwnXg
> zYvYvvJZQN8eYCL1eyz2sTb/pOo0LpIFB8E9QV2Tp6m0oL8jvpXXo4dobZBXAGAu
> oCsqpdo3zFAG23DLAxRjEB+UoxtvwYbgyEDN97JRM3Da0PMPeTiwdtdOmb91w1sF
> ZfvUQcf71Zdg2LHTV1LYiLynhrOpKtqrZ0MOI+RMxB4tdgdmA5dw5Ifp0pcrbCCR
> VUeX4GPj+vOtlJWo677/j2napPuQA+Jev367PU3+vzO5nboWxEMtXMZZFQJ2wSbj
> jpBldZm0AThEKkmCWjmi0UGJXH0sEIVyytvdo6p/W64L0a4wTF70A6FUtT5QT+mg
> KHlBl40QVL57JKCEVYjdUtqVMPKbj3JwLu6N9vX4gxmNcv1CASOfn1/0F5pmN2mL
> mMM+mF6FAl1VwNVCxyssnCOK1OkjrIbsLWNExrTFPPfrit4eSgRLTBpZML/EZQws
> AnsUH7bLzvsBGJZUZP8tTksSw9N6gq3Zxr8/xGXEdcvL8NpUjPf6yVUjG3baKvnU
> OE0JlpP2MiELP4M7RZoYDCnrXM8DAGy7ogu8n350o85+QfL3/b34NRcwPvIxKXqd
> tX0aruUHc2IIy/5Mp2Dj
> =RsNl
> -----END PGP SIGNATURE-----

Mime
View raw message