On Mon, Jul 30, 2012 at 7:32 AM, Hugo Trippaers <htrippa...@schubergphilis.com> wrote: > By the way, we might want to add the same configuration to vmops for > XenServer. > > Currently it is possible to have a tenant vm send a router advertisement on > the isolated lan that is picked up by XenServer. Even though XenServer only > has a bridge interface in the tenant lan that interface will be > autoconfigured. A simple ping to the local all-node address (ff02::1) will > tell you the mac off of the XenServer interface. As XenServer has ssh active > on all interfaces you can directly connect to the ssh daemon on the > XenServer. We only push a IPv4 firewall to the XenServer so the IPv6 firewall > is default (ACCEPT everything). > > Still you only gain access to the ssh port, but that is something that should > not be possible from a tenant lan. > > Cheers, > > Hugo
As a provider, this one is even more concerning. Unless someone has an objection, I'd agree with your solution. We can remove a DENY rule in the future, after IPv6 support is added properly / completely. If you want help working up the fix for this, please let me know! -chip
