incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hugo Trippaers <HTrippa...@schubergphilis.com>
Subject RE: Disable IPv6 for systemvm
Date Mon, 30 Jul 2012 13:23:50 GMT
Hey Chip,

Yeah, I want help :-)

I just committed the sysctl.conf changes for the systemvm. This morning i applied them to
my test environment and they do the job.

We could add the actual sysctl command to the vmops next to adding the IPv6 ip6tables statements
I think.

Cheers,

Hugo


-----Original Message-----
From: Chip Childers [mailto:chip.childers@sungard.com] 
Sent: Monday, July 30, 2012 3:13 PM
To: cloudstack-dev@incubator.apache.org
Subject: Re: Disable IPv6 for systemvm

On Mon, Jul 30, 2012 at 7:32 AM, Hugo Trippaers <HTrippaers@schubergphilis.com> wrote:
> By the way, we might want to add the same configuration to vmops for XenServer.
>
> Currently it is possible to have a tenant vm send a router advertisement on the isolated
lan that is picked up by XenServer. Even though XenServer only has a bridge interface in the
tenant lan that interface will be autoconfigured. A simple ping to the local all-node address
(ff02::1) will tell you the mac off of the XenServer interface. As XenServer has ssh active
on all interfaces you can directly connect to the ssh daemon on the XenServer. We only push
a IPv4 firewall to the XenServer so the IPv6 firewall is default (ACCEPT everything).
>
> Still you only gain access to the ssh port, but that is something that should not be
possible from a tenant lan.
>
> Cheers,
>
> Hugo

As a provider, this one is even more concerning.  Unless someone has an objection, I'd agree
with your solution.  We can remove a DENY rule in the future, after IPv6 support is added
properly / completely.

If you want help working up the fix for this, please let me know!

-chip

Mime
View raw message