cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From server24 Cloudstack <cloudst...@server24.eu>
Subject Re: IPv6 ideas for Basic Networking
Date Fri, 22 May 2015 21:05:53 GMT
Hi Wido,

was nice talking to you about this.

On 5/21/2015 8:59 PM, Wido den Hollander wrote:

> (IPv6) routers should send out RAs (Router Advertisements) with the
> managed-other-flag [0][1], telling Instances to ONLY use that routers
> as their default gateways and NOT to use SLAAC to autoconfigure their
> IP-Address.

OK, so no autonomous flag

> The (ip6tables) Security Groups should allow ICMPv6 by default. IPv6
> traffic breaks really hard without ICMPv6 traffic, for example PMTU
> doesn't work properly and breaks IPv6 connections.
yes, and default ip(6)tables should be in place to block VNC-related traffic 
except to the Virtual Console (as currently VNC ports on IPv6 are 
world-wide-open in BASIC network)!

> In CloudStack we might configure a /48, but tell it to hand out
> addresses for each instance from a /64 out of that /48. That means we
> can have 65k Instances in that pod. Some firewall policies block a
> complete /64 when they see malicious traffic coming from that subnet,
> so if the subnet is big enough we should try to keep all the IPv6
> addresses from one Instance in the same /64 subnet. This could also
> simplify the iptable rules.
so one /48 per pod? RIRs provide either /48 or /32 (the latter to the providers) 
IPv6 blocks. So this should then be configurable, both per instance and per pod. 
One /48 per pod still looks large to me..

On the other hand any prefix more specific than /64 could break IPv6 features, 
so that there are at least some practical values to rely on.
> Security grouping has to be extended to also support IPv6, but should
> allow ICMPv6 by default.
yes, ICMPv6 should be on by default (maybe it should be forced to be always on 
for IPv6?).

> At the end of June 2015 we want to keep a one-day meetup in Amsterdam
> with various developers to discuss some more details.

great work and very good meeting, was a pleasure to be there.

Thomas Moroder

--
Incubatec GmbH - Srl
Via Scurcia'str. 36, 39046 Ortisei(BZ), ITALY
Registered with the chamber of commerce of Bolzano the 8th of November 2001 with 
REA-No. 168204 (s.c. of EUR 10.000 f.p.u.)
President: Thomas Moroder, VAT-No. IT 02283140214
Tel: +39.0471796829 - Fax: +39.0471797949

IMPRINT:
http://www.incubatec.com/imprint.html
PRIVACY:
http://www.server24.it/informativa_completa.html


Mime
View raw message