cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wido den Hollander <w...@widodh.nl>
Subject Re: IPv6 in Basic Networking progress
Date Sat, 22 Oct 2016 06:41:05 GMT

> Op 19 oktober 2016 om 17:06 schreef Wido den Hollander <wido@widodh.nl>:
> 
> 
> 
> > Op 4 oktober 2016 om 12:38 schreef Wido den Hollander <wido@widodh.nl>:
> > 
> > 
> > I've submitted the code as a PR for the master branch: https://github.com/apache/cloudstack/pull/1700
> > 
> 
> While this PR is still open (reviews are welcome!) I'm working on the Security Grouping
and making progress there.
> 
> The code can be found here: https://github.com/wido/cloudstack/commits/ipv6-basic-networking-secgroup
> 
> I'm currently focusing on Anti Spoofing and basic network security, not so much opening
individual UDP or TCP ports for Instances. It currently simply allows all UDP and TCP traffic.

The opening of ports both ingress and egress now also seems to work and the code can be found
here: https://github.com/wido/cloudstack/commits/ipv6-basic-networking-secgroup-ports

This now allows for full security grouping of IPv6 in Basic Networking, in my tests it works
good!

One outstanding thing is the UI and it's JavaScript validator, but I'm lacking the JS skills
to fix that.

I will wait for PR #1700 to be merged before sending in one PR for the security grouping which
will hopefully be within 2 weeks.

Would be awesome if 4.10 or 4.11 would have IPv6 support for Basic Networking!

Next in line is having the SSVMs be IPv6 capabale.

Wido

> 
> Wido
> 
> > > Op 3 oktober 2016 om 20:43 schreef Wido den Hollander <wido@widodh.nl>:
> > > 
> > > 
> > > Hi,
> > > 
> > > One of the things I'm really missing in CloudStack currently is IPv6 support
in Basic Networking. Why? Our cloud at PCextreme runs on CloudStack with Basic Networking
and we currently do have IPv6 support, but without the knowledge of CloudStack.
> > > 
> > > My goals are currently simple:
> > > - The API should return the IPv6 address of the Instance
> > > - Security Grouping should prevent IPv6 address spoofing
> > > 
> > > This is all on the Wiki: https://cwiki.apache.org/confluence/display/CLOUDSTACK/IPv6+in+Basic+Networking
> > > 
> > > I didn't get to it due to a lack of time, but I gave it a try again this weekend
and today. With result!: https://github.com/wido/cloudstack/commits/ipv6-basic-networking
> > > 
> > > The 'nics' table already has the ip6_address column and the API will return
this value when it is set. So what I did is modify the DirectPodBasedNetworkGuru that it calculates
the EUI-64 IPv6 address a Instance will obtain using SLAAC.
> > > 
> > > In the network you have to make sure the routers (not the VR, physical ones!)
are sending our Router Advertisements with the same subnet as you configured in CloudStack.
> > > 
> > > The code is actually very simple and it 'works': https://widodh.o.auroraobjects.eu/cloudstack/ipv6-basic-networking-instance.png
> > > 
> > > The CloudStack code is very, very IPv4 orientated and has many flaws. It passes
IP-Addresses as Strings and such while native types like InetAddress might be better, but
that would be a major refactor which will consume a lot of time. And honestly, I don't have
the time.
> > > 
> > > As stated above our goals are currently simple. The API should return a IPv6
Address so that after deployment anything consuming the API can instantly connect to the Instance
over IPv6.
> > > 
> > > Wido

Mime
View raw message