Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cloudstack.apache.org
Date: Thu, 10 Mar 2016 22:31:08 +0100 (CET)
From: Wido den Hollander <wido@widodh.nl>
To: dev@cloudstack.apache.org, John Burwell <john.burwell@shapeblue.com>
Message-ID: 
 <2028238843.470.160e133c-ee3f-4c6e-9b8b-e4d468651d78.open-xchange@ox.pcextreme.nl>
In-Reply-To: <E5ADEC6E-AC9E-48A6-A60B-F10EF9634CA6@shapeblue.com>
References: <56740CB0.70808@widodh.nl>
 <CAOGrYkNKHsoTn12tOXYnodLA-cufk2EDAuNMv+JX+c=zZDVhXA@mail.gmail.com>
 <5679234F.7080506@widodh.nl>
 <E5ADEC6E-AC9E-48A6-A60B-F10EF9634CA6@shapeblue.com>
Subject: Re: Results of a IPv6 brainstorm day
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Importance: Medium


> Op 10 maart 2016 om 21:15 schreef John Burwell <john.burwell@shapeblue.co=
m>:
>=20
>=20
> Wido,
>=20
> Curious if you have been able to make any progress on this work. Have you=
 been
> able to move it forward? If not, what kind of help would you need?
>=20

Yes. Not so much in code inside CloudStack, but mainly in figuring out DHCP=
v6
stuff and searching for the right components.

The DHCPv6 part is something that I would like to see handled by Kea. Blogg=
ed
about my tests with Kea: http://blog.widodh.nl/2016/02/isc-kea-dhcpv6-serve=
r/

The security grouping part could be done by libvirt:
* https://issues.apache.org/jira/browse/CLOUDSTACK-1164
*
http://mail-archives.apache.org/mod_mbox/cloudstack-dev/201601.mbox/%3C568C=
E637.4000507%40widodh.nl%3E

This supports both IPv4 and IPv6. So this combined brings us to:
- Kea for DHCPv6
- Libvirt for KVM Security Grouping

I haven't gotten to writing any actual code since this mainly means that a =
MAJOR
overhaul is needed of the internals of CloudStack. All the code now assumes=
 IPv4
addresses in there...

Wido

> Thanks,
> -John
>=20
> >
>=20
> [ShapeBlue]<http://www.shapeblue.com>
> John Burwell
> ShapeBlue
>=20
> d:      +44 (20) 3603 0542 | s: +1 (571) 403-2411
> <tel:+44%20(20)%203603%200542%20|%20s:%20+1%20(571)%20403-2411>
>=20
> e:      john.burwell@shapeblue.com | t:
> <mailto:john.burwell@shapeblue.com%20|%20t:>     |      w:
>      www.shapeblue.com<http://www.shapeblue.com>
>=20
> a:      53 Chandos Place, Covent Garden London WC2N 4HS UK
>=20
>=20
> [cid:imagefbc38a.png@a8508906.4c973695]
>=20
>=20
> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
> Services India LLP is a company incorporated in India and is operated und=
er
> license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a comp=
any
> incorporated in Brasil and is operated under license from Shape Blue Ltd.
> ShapeBlue SA Pty Ltd is a company registered by The Republic of South Afr=
ica
> and is traded under license from Shape Blue Ltd. ShapeBlue is a registere=
d
> trademark.
> This email and any attachments to it may be confidential and are intended
> solely for the use of the individual to whom it is addressed. Any views o=
r
> opinions expressed are solely those of the author and do not necessarily
> represent those of Shape Blue Ltd or related companies. If you are not th=
e
> intended recipient of this email, you must neither take any action based =
upon
> its contents, nor copy or show it to anyone. Please contact the sender if=
 you
> believe you have received this email in error.
>=20
>=20
>=20
>=20
> On Dec 22, 2015, at 5:17 AM, Wido den Hollander <wido@widodh.nl> wrote:
> >
> >
> >
> > On 12/22/2015 04:35 AM, Ian Rae wrote:
> >> Great to hear, next time I am happy to commit an engineer from CloudOp=
s to
> >> participate. We have done quite a bit of work around VPC and also need=
 to
> >> solve for IPv6 soon.
> >>
> >> Thanks for sharing, great initiative/goal and I will make sure the Clo=
udOps
> >> team reviews and supports this.
> >>
> >
> > Great! The first challenge will be to get the core of ACS aware of IPv6=
.
> > Pass IP addresses is InetAddress instead of a String, etc, etc.
> >
> > I don't know if a very big team can work on this without very short
> > communication between the different people.
> >
> > But again, any help is appreciated! We need this to go in.
> >
> > Wido
> >
> >> On Friday, December 18, 2015, Wido den Hollander <wido@widodh.nl> wrot=
e:
> >>
> >>> Hi,
> >>>
> >>> Yesterday we from PCextreme, Leaseweb and Schuberg Phillis sat down f=
or
> >>> a IPv6 brainstorm session.
> >>>
> >>> We asked a good IPv6 consultant (Sander Steffann) to join us to help =
us
> >>> identify some glitches in our ideas.
> >>>
> >>> We had two ideas:
> >>> -
> >>>
> >>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/IPv6+in+Basic+=
Networking
> >>> -
> >>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/IPv6+in+VPC+Ro=
uter
> >>>
> >>> Overall, our ideas looked good, our main concern was security groupin=
g.
> >>> How to prevent clients from spoofing and such.
> >>>
> >>> I updated the spec for the Basic Networking with those ideas.
> >>>
> >>> A few things worth noting:
> >>> - Link-Local traffic should be allowed for specific ICMPv6-only. No U=
DP
> >>> or TCP!
> >>> - A DUID can not be trusted. We need a tagger on the HV which adds th=
e
> >>> MAC address as DHCPv6 option 37.
> >>> - SLAAC can not be used. DHCPv6+IA only
> >>> - We can assign multiple IPs and Prefixes via DHCPv6
> >>> - ISC Kea seems very nice as a DHCPv6 server: http://kea.isc.org/wiki
> >>>
> >>> A few RFCs which might be worth reading:
> >>> - https://www.ietf.org/rfc/rfc4890.txt
> >>> - https://tools.ietf.org/html/rfc6939
> >>> - https://tools.ietf.org/html/rfc4861
> >>>
> >>> We will start to work on this, but the CloudStack core is still very,
> >>> very, very IPv4 minded and this will need a lot of refactoring.
> >>>
> >>> However, once you understand IPv6 better it is much more simple then
> >>> IPv4 imho.
> >>>
> >>> The end goal is that CloudStack can run on IPv6-only without ANY IPv4=
.
> >>>
> >>> What also resulted from this day:
> >>> - Basic Networking can probably be merged with Advanced Networking wi=
th
> >>> Direct Attached
> >>> - Isolated Networks are about the same as a VPC
> >>> - We might be able to ditch the SSVM in most situations
> >>>
> >>> Any way, enough work to do!
> >>>
> >>> Wido
> >>>
> >>
> >>
>=20
> Find out more about ShapeBlue and our range of CloudStack related service=
s:
> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-buil=
d//>
> | CSForge =E2=80=93 rapid IaaS deployment framework<http://shapeblue.com/=
csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> |
> CloudStack Software
> Engineering<http://shapeblue.com/cloudstack-software-engineering/>
> CloudStack Infrastructure
> Support<http://shapeblue.com/cloudstack-infrastructure-support/> | CloudS=
tack
> Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>