On 05-09-14 12:42, Nux! wrote:
Hi,
I've been thinking about this and apparently there is a big security problem
with this idea, at least my colleagues from the network dept tell me so.
If you want to use the router autoconfig thingy you must - as per current
standards - use a /64 on the router interface and this way you expose yourself
to a neighbour table attack - the neighbour table in avg cisco routers can hold
tens of thousands of entries more or less, but it's still far from the
trillions of addresses in a /64. This may seem far fetched but since 512k day,
my colleagues don't want to take any more chances. :-)
That only works if you actually spawn thousands of instances in that subnet.
One of the things people told me that you could overflow the neighbour
table by sending packets to bogus IPv6 addresses.
I tried that some weeks ago on a Brocade and Extreme Networks router,
but they both have a system of "valid neighbours" and "pending neighbours".
Only when a neighbour actually responded it goes into the "valid" table
and otherwise it is kicked out of the "pending" pretty quickly.
I could not overflow any table or make them drop traffic to legitimate
hosts.
They recommend to use DHCPv6 instead with far smaller subnets, which of course
complicates things quite a bit on the cloudstack side...
Well, we would still need DHCPv6 to hand out additional options like
DNS, but yes. Since with the subnet + MAC you can calculate which IPv6
address the Instance will use based on SLAAC.
We can program that address into the security groups and that's the IPv6
address the guest can use.
Additional IPs is just a matter of generating a address, storing it and
adding it to the SG.
So Router Advertisements are a very easy option to use.
Any thoughts?
Lucian
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
----- Original Message -----
From: "John Kinsella" <j...@stratosec.co>
To: dev@cloudstack.apache.org
Sent: Wednesday, 20 August, 2014 11:59:27 PM
Subject: Re: IPv6 ~ Basic Network
Please do - we started tinkering with ipv6 ages ago, never got it to
production, tho.
On Aug 20, 2014, at 3:48 PM, Nux! <n...@li.nux.ro> wrote:
Thanks Wido for the idea, then. :-)
I'll gladly share it with you guys should I come up with something that
works.
Lucian
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
----- Original Message -----
From: "Wido den Hollander" <w...@widodh.nl>
To: dev@cloudstack.apache.org
Sent: Wednesday, 20 August, 2014 9:36:48 PM
Subject: Re: IPv6 ~ Basic Network
On 08/20/2014 10:07 PM, Nux! wrote:
Wido,
Can you share your code for this?
Oh, I don't have any code. The setups I created have plain IPv6 without
any security grouping.
My previous e-mail was just to illustrate what would be required.
Wido
Cheers
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
