cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-676) Firewall / ACL support for ipv6
Date Fri, 27 Jan 2017 00:14:25 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-676?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15840734#comment-15840734
] 

ASF subversion and git services commented on CLOUDSTACK-676:
------------------------------------------------------------

Commit f10c8bfe0c99a762c2606459413a47219614e775 in cloudstack's branch refs/heads/master from
[~rajanik]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=f10c8bf ]

Merge pull request #1700 from wido/ipv6-basic-networking

CLOUDSTACK-9359: IPv6 for Basic NetworkingThis PR is a proposal for adding very basic IPv6
to Basic Networking. The main goal of this PR is that the API returns a valid IPv6 address
over which the Instance is reachable.

The GUI will show the IPv6 address after deployment of the Instance.

![screenshot from 2016-10-03 16 34 56](https://cloud.githubusercontent.com/assets/326786/19070024/b06d2de6-8a29-11e6-8fe7-4902e2801ada.png)

If the table VLAN has a proper IPv6 CIDR configured the DirectPodBasedNetworkGuru will calculate
the IPv6 Address the Instance will obtain using EUI-64 and SLAAC: https://tools.ietf.org/search/rfc4862

In this case the _vlan_ table contained:

<pre>mysql> select * from vlan \G
*************************** 1. row ***************************
                 id: 1
               uuid: 90e0716c-5261-4992-bb9d-0afd3006f476
            vlan_id: vlan://untagged
       vlan_gateway: 172.16.0.1
       vlan_netmask: 255.255.255.0
        description: 172.16.0.10-172.16.0.250
          vlan_type: DirectAttached
     data_center_id: 1
         network_id: 204
physical_network_id: 200
        ip6_gateway: 2001:980:7936:112::1
           ip6_cidr: 2001:980:7936:112::/64
          ip6_range: NULL
            removed: NULL
            created: 2016-07-19 20:39:41
1 row in set (0.00 sec)

mysql></pre>

It will then log:

<pre>2016-10-04 11:42:44,998 DEBUG [c.c.n.g.DirectPodBasedNetworkGuru] (Work-Job-Executor-1:ctx-1975ec54
job-186/job-187 ctx-0d967d88) (logid:275c4961) Found IPv6 CIDR 2001:980:7936:112::/64 for
VLAN 1
2016-10-04 11:42:45,009 INFO  [c.c.n.g.DirectPodBasedNetworkGuru] (Work-Job-Executor-1:ctx-1975ec54
job-186/job-187 ctx-0d967d88) (logid:275c4961) Calculated IPv6 address 2001:980:7936:112:4ba:80ff:fe00:e9
using EUI-64 for NIC 6a05deab-b5d9-4116-80da-c94b48333e5e</pre>

The template has to be configured accordingly:
- No IPv6 Privacy Extensions
- Use SLAAC
- Follow RFC4862

This is also described in: https://cwiki.apache.org/confluence/display/CLOUDSTACK/IPv6+in+Basic+Networking

The next steps after this will be:
- Security Grouping to prevent IPv6 Address Spoofing
- Security Grouping to filter ICMP, UDP and TCP traffic

* pr/1700:
  CLOUDSTACK-676: IPv6 In -and Egress filtering for Basic Networking
  CLOUDSTACK-676: IPv6 Basic Security Grouping for KVM
  CLOUDSTACK-9359: IPv6 for Basic Networking with KVM

Signed-off-by: Rajani Karuturi <rajani.karuturi@accelerite.com>


> Firewall / ACL support for ipv6
> -------------------------------
>
>                 Key: CLOUDSTACK-676
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-676
>             Project: CloudStack
>          Issue Type: Sub-task
>      Security Level: Public(Anyone can view this level - this is the default.) 
>            Reporter: Chiradeep Vittal
>            Assignee: Wido den Hollander
>             Fix For: Future
>
>
> An ability to specify a firewall / ACL rule set for a subnet which has instances with
ipv6 addresses. The implementation can be at the VR level, at the hypervisor level or in an
external firewall



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message