The latest Xen Server install seems to have IPv6 disabled (just
checked in my lab). Is it enabled in XCP?

(I may be showing my Xen ignorance here)

- chip

On Jul 30, 2012, at 9:24 AM, Hugo Trippaers
<htrippa...@schubergphilis.com> wrote:

> Hey Chip,
>
> Yeah, I want help :-)
>
> I just committed the sysctl.conf changes for the systemvm. This morning i 
> applied them to my test environment and they do the job.
>
> We could add the actual sysctl command to the vmops next to adding the IPv6 
> ip6tables statements I think.
>
> Cheers,
>
> Hugo
>
>
> -----Original Message-----
> From: Chip Childers [mailto:chip.child...@sungard.com]
> Sent: Monday, July 30, 2012 3:13 PM
> To: cloudstack-dev@incubator.apache.org
> Subject: Re: Disable IPv6 for systemvm
>
> On Mon, Jul 30, 2012 at 7:32 AM, Hugo Trippaers 
> <htrippa...@schubergphilis.com> wrote:
>> By the way, we might want to add the same configuration to vmops for 
>> XenServer.
>>
>> Currently it is possible to have a tenant vm send a router advertisement on 
>> the isolated lan that is picked up by XenServer. Even though XenServer only 
>> has a bridge interface in the tenant lan that interface will be 
>> autoconfigured. A simple ping to the local all-node address (ff02::1) will 
>> tell you the mac off of the XenServer interface. As XenServer has ssh active 
>> on all interfaces you can directly connect to the ssh daemon on the 
>> XenServer. We only push a IPv4 firewall to the XenServer so the IPv6 
>> firewall is default (ACCEPT everything).
>>
>> Still you only gain access to the ssh port, but that is something that 
>> should not be possible from a tenant lan.
>>
>> Cheers,
>>
>> Hugo
>
> As a provider, this one is even more concerning.  Unless someone has an 
> objection, I'd agree with your solution.  We can remove a DENY rule in the 
> future, after IPv6 support is added properly / completely.
>
> If you want help working up the fix for this, please let me know!
>
> -chip
>

Reply via email to