cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Suresh Ramamurthy <sureshr.has...@gmail.com>
Subject Re: IPv6 ideas for Basic Networking
Date Fri, 29 May 2015 19:59:53 GMT
Hi Wido,

After reading your IPv6 ideas for Basic Networking, I realized that couple
of them can be reused for Advanced Networking too.

We have come up with a proposal for IPv6 support in VPC and it is posted in
wiki

https://cwiki.apache.org/confluence/display/CLOUDSTACK/IPv6+in+VPC+Router

Did you get a chance to look at it? Let me know your feedback on the DD.

I work from bay area, so I will not be able to attend the meetup at
Amsterdam. But, I would like to have a call/chat with you to discuss on
further details about IPv6 support.

I would like to schedule a conference call with you. Would you be available
for the call?

Thanks,
Suresh



On Sat, May 23, 2015 at 11:18 PM, Remi Bergsma <RBergsma@schubergphilis.com>
wrote:

> At Schuberg Philis we’ve been working on a design voor IPv6 in VPC
> networks (so this is Advanced Networking) and I indeed had a look at your
> functional spec. I’ll finalise what we’ve come up with and publish it early
> next week so we can align and discuss and work from there. Nice to see
> there is a design for Basic Networking as well!
>
> Regards,
> Remi
>
> > On 24 May 2015, at 02:47, Marcus <shadowsor@gmail.com> wrote:
> >
> > Did you guys review the functional spec that has been floating around on
> > cwiki?
> > On May 23, 2015 8:27 AM, "Wido den Hollander" <wido@widodh.nl> wrote:
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >>
> >>
> >> On 05/22/2015 11:05 PM, server24 Cloudstack wrote:
> >>> Hi Wido,
> >>>
> >>> was nice talking to you about this.
> >>>
> >>> On 5/21/2015 8:59 PM, Wido den Hollander wrote:
> >>>
> >>>> (IPv6) routers should send out RAs (Router Advertisements) with
> >>>> the managed-other-flag [0][1], telling Instances to ONLY use that
> >>>> routers as their default gateways and NOT to use SLAAC to
> >>>> autoconfigure their IP-Address.
> >>>
> >>> OK, so no autonomous flag
> >>>
> >>
> >> No, the "managed other flag" as described in RFC 4862. Meaning that
> >> the Routers should only be used as a default gateway and DHCPv6 should
> >> be used for obtaining a address.
> >>
> >>>> The (ip6tables) Security Groups should allow ICMPv6 by default.
> >>>> IPv6 traffic breaks really hard without ICMPv6 traffic, for
> >>>> example PMTU doesn't work properly and breaks IPv6 connections.
> >>> yes, and default ip(6)tables should be in place to block
> >>> VNC-related traffic except to the Virtual Console (as currently VNC
> >>> ports on IPv6 are world-wide-open in BASIC network)!
> >>>
> >>
> >> Yes, but in that case you are talking about the Console Proxy which
> >> should be firewalled properly.
> >>
> >>>> In CloudStack we might configure a /48, but tell it to hand out
> >>>> addresses for each instance from a /64 out of that /48. That
> >>>> means we can have 65k Instances in that pod. Some firewall
> >>>> policies block a complete /64 when they see malicious traffic
> >>>> coming from that subnet, so if the subnet is big enough we should
> >>>> try to keep all the IPv6 addresses from one Instance in the same
> >>>> /64 subnet. This could also simplify the iptable rules.
> >>> so one /48 per pod? RIRs provide either /48 or /32 (the latter to
> >>> the providers) IPv6 blocks. So this should then be configurable,
> >>> both per instance and per pod. One /48 per pod still looks large to
> >>> me..
> >>>
> >>
> >> A /48 should be a possibility. If you only have a /64 available that
> >> should be no problem either.
> >>
> >>> On the other hand any prefix more specific than /64 could break
> >>> IPv6 features, so that there are at least some practical values to
> >>> rely on.
> >>>> Security grouping has to be extended to also support IPv6, but
> >>>> should allow ICMPv6 by default.
> >>> yes, ICMPv6 should be on by default (maybe it should be forced to
> >>> be always on for IPv6?).
> >>>
> >>>> At the end of June 2015 we want to keep a one-day meetup in
> >>>> Amsterdam with various developers to discuss some more details.
> >>>
> >>> great work and very good meeting, was a pleasure to be there.
> >>>
> >>> Thomas Moroder
> >>>
> >>> -- Incubatec GmbH - Srl Via Scurcia'str. 36, 39046 Ortisei(BZ),
> >>> ITALY Registered with the chamber of commerce of Bolzano the 8th of
> >>> November 2001 with REA-No. 168204 (s.c. of EUR 10.000 f.p.u.)
> >>> President: Thomas Moroder, VAT-No. IT 02283140214 Tel:
> >>> +39.0471796829 - Fax: +39.0471797949
> >>>
> >>> IMPRINT: http://www.incubatec.com/imprint.html PRIVACY:
> >>> http://www.server24.it/informativa_completa.html
> >>>
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1
> >>
> >> iQIcBAEBAgAGBQJVYJwhAAoJEAGbWC3bPspCWXEQAISPV1PdGWa6KOck9IsTVXBt
> >> jUTpyFyg+qnmlG+QQ3LWOFjXRVUvQroryBbxkBnEbNm5d5qOsKptwwOaXMOut4A2
> >> Nv4WCcFlAjnj78c9C/mpJvqu+Bh/WLKy4mBaMEqLiSAzqoz+CPlaiubJ/TDXR+jp
> >> XSY3XNk/jhdI02QTPNHvYc1ZbWNjuZrb+YVqEzFLra25I0bfXuq2tcBVDEMr1zmA
> >> qQVfCabkAx/a8wW2wGnz2GSg1UFDJUHOb7c6bae9nE5wo1MYpXyjpO53IBpRQuPt
> >> +VMzkjyf75yS1LFel9zS/BzV97mgEBxux9Nb3M9f/ZJW0QvS9onZdIhYgCeDyxJe
> >> M/XTD6M0O+ha4mFaYTeSudWoQnv/ZZ1P5RuPTQyQRD4P7nSkorz6QOR/SVb+OhXG
> >> 7tqd0GaUS/OFTC69wBTN/t9m98mYRZ5s4XtuocE5DadHqIv5JslrKLzC2YJEWonm
> >> RqL2Gow0/h+k99esJatmCZq+6jXwsy9pIVsLspfDt+GKBOVw8sHNTDUPTvdVzffv
> >> Qa+gVl5gg9RvSonJ8xS7sHI/p/gDFJrN1lWzxl9YWyurjDKFz2zI0OWfOKGZdhrE
> >> Ywgzb+2ExzGSgLSE6AL8awLbl1N57TOlQI4SlfN7Ph4kaS2T9eCleAXP3BxPSXqK
> >> Hji1OI5/luKcQVyYqwaT
> >> =acrP
> >> -----END PGP SIGNATURE-----
> >>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message