cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wido den Hollander <w...@widodh.nl>
Subject Re: IPv6 ideas for Basic Networking
Date Sat, 23 May 2015 15:26:26 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 05/22/2015 11:05 PM, server24 Cloudstack wrote:
> Hi Wido,
> 
> was nice talking to you about this.
> 
> On 5/21/2015 8:59 PM, Wido den Hollander wrote:
> 
>> (IPv6) routers should send out RAs (Router Advertisements) with
>> the managed-other-flag [0][1], telling Instances to ONLY use that
>> routers as their default gateways and NOT to use SLAAC to
>> autoconfigure their IP-Address.
> 
> OK, so no autonomous flag
> 

No, the "managed other flag" as described in RFC 4862. Meaning that
the Routers should only be used as a default gateway and DHCPv6 should
be used for obtaining a address.

>> The (ip6tables) Security Groups should allow ICMPv6 by default.
>> IPv6 traffic breaks really hard without ICMPv6 traffic, for
>> example PMTU doesn't work properly and breaks IPv6 connections.
> yes, and default ip(6)tables should be in place to block
> VNC-related traffic except to the Virtual Console (as currently VNC
> ports on IPv6 are world-wide-open in BASIC network)!
> 

Yes, but in that case you are talking about the Console Proxy which
should be firewalled properly.

>> In CloudStack we might configure a /48, but tell it to hand out 
>> addresses for each instance from a /64 out of that /48. That
>> means we can have 65k Instances in that pod. Some firewall
>> policies block a complete /64 when they see malicious traffic
>> coming from that subnet, so if the subnet is big enough we should
>> try to keep all the IPv6 addresses from one Instance in the same
>> /64 subnet. This could also simplify the iptable rules.
> so one /48 per pod? RIRs provide either /48 or /32 (the latter to
> the providers) IPv6 blocks. So this should then be configurable,
> both per instance and per pod. One /48 per pod still looks large to
> me..
> 

A /48 should be a possibility. If you only have a /64 available that
should be no problem either.

> On the other hand any prefix more specific than /64 could break
> IPv6 features, so that there are at least some practical values to
> rely on.
>> Security grouping has to be extended to also support IPv6, but
>> should allow ICMPv6 by default.
> yes, ICMPv6 should be on by default (maybe it should be forced to
> be always on for IPv6?).
> 
>> At the end of June 2015 we want to keep a one-day meetup in
>> Amsterdam with various developers to discuss some more details.
> 
> great work and very good meeting, was a pleasure to be there.
> 
> Thomas Moroder
> 
> -- Incubatec GmbH - Srl Via Scurcia'str. 36, 39046 Ortisei(BZ),
> ITALY Registered with the chamber of commerce of Bolzano the 8th of
> November 2001 with REA-No. 168204 (s.c. of EUR 10.000 f.p.u.) 
> President: Thomas Moroder, VAT-No. IT 02283140214 Tel:
> +39.0471796829 - Fax: +39.0471797949
> 
> IMPRINT: http://www.incubatec.com/imprint.html PRIVACY: 
> http://www.server24.it/informativa_completa.html
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVYJwhAAoJEAGbWC3bPspCWXEQAISPV1PdGWa6KOck9IsTVXBt
jUTpyFyg+qnmlG+QQ3LWOFjXRVUvQroryBbxkBnEbNm5d5qOsKptwwOaXMOut4A2
Nv4WCcFlAjnj78c9C/mpJvqu+Bh/WLKy4mBaMEqLiSAzqoz+CPlaiubJ/TDXR+jp
XSY3XNk/jhdI02QTPNHvYc1ZbWNjuZrb+YVqEzFLra25I0bfXuq2tcBVDEMr1zmA
qQVfCabkAx/a8wW2wGnz2GSg1UFDJUHOb7c6bae9nE5wo1MYpXyjpO53IBpRQuPt
+VMzkjyf75yS1LFel9zS/BzV97mgEBxux9Nb3M9f/ZJW0QvS9onZdIhYgCeDyxJe
M/XTD6M0O+ha4mFaYTeSudWoQnv/ZZ1P5RuPTQyQRD4P7nSkorz6QOR/SVb+OhXG
7tqd0GaUS/OFTC69wBTN/t9m98mYRZ5s4XtuocE5DadHqIv5JslrKLzC2YJEWonm
RqL2Gow0/h+k99esJatmCZq+6jXwsy9pIVsLspfDt+GKBOVw8sHNTDUPTvdVzffv
Qa+gVl5gg9RvSonJ8xS7sHI/p/gDFJrN1lWzxl9YWyurjDKFz2zI0OWfOKGZdhrE
Ywgzb+2ExzGSgLSE6AL8awLbl1N57TOlQI4SlfN7Ph4kaS2T9eCleAXP3BxPSXqK
Hji1OI5/luKcQVyYqwaT
=acrP
-----END PGP SIGNATURE-----

Mime
View raw message