cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ilya <ilya.mailing.li...@gmail.com>
Subject Re: Results of a IPv6 brainstorm day
Date Mon, 21 Dec 2015 19:35:42 GMT
Wido

Thanks for the detailed update!


On 12/18/15 5:40 AM, Wido den Hollander wrote:
> Hi,
> 
> Yesterday we from PCextreme, Leaseweb and Schuberg Phillis sat down for
> a IPv6 brainstorm session.
> 
> We asked a good IPv6 consultant (Sander Steffann) to join us to help us
> identify some glitches in our ideas.
> 
> We had two ideas:
> -
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/IPv6+in+Basic+Networking
> - https://cwiki.apache.org/confluence/display/CLOUDSTACK/IPv6+in+VPC+Router
> 
> Overall, our ideas looked good, our main concern was security grouping.
> How to prevent clients from spoofing and such.
> 
> I updated the spec for the Basic Networking with those ideas.
> 
> A few things worth noting:
> - Link-Local traffic should be allowed for specific ICMPv6-only. No UDP
> or TCP!
> - A DUID can not be trusted. We need a tagger on the HV which adds the
> MAC address as DHCPv6 option 37.
> - SLAAC can not be used. DHCPv6+IA only
> - We can assign multiple IPs and Prefixes via DHCPv6
> - ISC Kea seems very nice as a DHCPv6 server: http://kea.isc.org/wiki
> 
> A few RFCs which might be worth reading:
> - https://www.ietf.org/rfc/rfc4890.txt
> - https://tools.ietf.org/html/rfc6939
> - https://tools.ietf.org/html/rfc4861
> 
> We will start to work on this, but the CloudStack core is still very,
> very, very IPv4 minded and this will need a lot of refactoring.
> 
> However, once you understand IPv6 better it is much more simple then
> IPv4 imho.
> 
> The end goal is that CloudStack can run on IPv6-only without ANY IPv4.
> 
> What also resulted from this day:
> - Basic Networking can probably be merged with Advanced Networking with
> Direct Attached
> - Isolated Networks are about the same as a VPC
> - We might be able to ditch the SSVM in most situations
> 
> Any way, enough work to do!
> 
> Wido
> 

Mime
View raw message