cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wido den Hollander <>
Subject Re: IPv6 ideas for Basic Networking
Date Sat, 23 May 2015 15:26:26 GMT
Hash: SHA1

On 05/22/2015 11:05 PM, server24 Cloudstack wrote:
> Hi Wido,
> was nice talking to you about this.
> On 5/21/2015 8:59 PM, Wido den Hollander wrote:
>> (IPv6) routers should send out RAs (Router Advertisements) with
>> the managed-other-flag [0][1], telling Instances to ONLY use that
>> routers as their default gateways and NOT to use SLAAC to
>> autoconfigure their IP-Address.
> OK, so no autonomous flag

No, the "managed other flag" as described in RFC 4862. Meaning that
the Routers should only be used as a default gateway and DHCPv6 should
be used for obtaining a address.

>> The (ip6tables) Security Groups should allow ICMPv6 by default.
>> IPv6 traffic breaks really hard without ICMPv6 traffic, for
>> example PMTU doesn't work properly and breaks IPv6 connections.
> yes, and default ip(6)tables should be in place to block
> VNC-related traffic except to the Virtual Console (as currently VNC
> ports on IPv6 are world-wide-open in BASIC network)!

Yes, but in that case you are talking about the Console Proxy which
should be firewalled properly.

>> In CloudStack we might configure a /48, but tell it to hand out 
>> addresses for each instance from a /64 out of that /48. That
>> means we can have 65k Instances in that pod. Some firewall
>> policies block a complete /64 when they see malicious traffic
>> coming from that subnet, so if the subnet is big enough we should
>> try to keep all the IPv6 addresses from one Instance in the same
>> /64 subnet. This could also simplify the iptable rules.
> so one /48 per pod? RIRs provide either /48 or /32 (the latter to
> the providers) IPv6 blocks. So this should then be configurable,
> both per instance and per pod. One /48 per pod still looks large to
> me..

A /48 should be a possibility. If you only have a /64 available that
should be no problem either.

> On the other hand any prefix more specific than /64 could break
> IPv6 features, so that there are at least some practical values to
> rely on.
>> Security grouping has to be extended to also support IPv6, but
>> should allow ICMPv6 by default.
> yes, ICMPv6 should be on by default (maybe it should be forced to
> be always on for IPv6?).
>> At the end of June 2015 we want to keep a one-day meetup in
>> Amsterdam with various developers to discuss some more details.
> great work and very good meeting, was a pleasure to be there.
> Thomas Moroder
> -- Incubatec GmbH - Srl Via Scurcia'str. 36, 39046 Ortisei(BZ),
> ITALY Registered with the chamber of commerce of Bolzano the 8th of
> November 2001 with REA-No. 168204 (s.c. of EUR 10.000 f.p.u.) 
> President: Thomas Moroder, VAT-No. IT 02283140214 Tel:
> +39.0471796829 - Fax: +39.0471797949
Version: GnuPG v1


View raw message