Hi, Yesterday we from PCextreme, Leaseweb and Schuberg Phillis sat down for a IPv6 brainstorm session.
We asked a good IPv6 consultant (Sander Steffann) to join us to help us identify some glitches in our ideas. We had two ideas: - https://cwiki.apache.org/confluence/display/CLOUDSTACK/IPv6+in+Basic+Networking - https://cwiki.apache.org/confluence/display/CLOUDSTACK/IPv6+in+VPC+Router Overall, our ideas looked good, our main concern was security grouping. How to prevent clients from spoofing and such. I updated the spec for the Basic Networking with those ideas. A few things worth noting: - Link-Local traffic should be allowed for specific ICMPv6-only. No UDP or TCP! - A DUID can not be trusted. We need a tagger on the HV which adds the MAC address as DHCPv6 option 37. - SLAAC can not be used. DHCPv6+IA only - We can assign multiple IPs and Prefixes via DHCPv6 - ISC Kea seems very nice as a DHCPv6 server: http://kea.isc.org/wiki A few RFCs which might be worth reading: - https://www.ietf.org/rfc/rfc4890.txt - https://tools.ietf.org/html/rfc6939 - https://tools.ietf.org/html/rfc4861 We will start to work on this, but the CloudStack core is still very, very, very IPv4 minded and this will need a lot of refactoring. However, once you understand IPv6 better it is much more simple then IPv4 imho. The end goal is that CloudStack can run on IPv6-only without ANY IPv4. What also resulted from this day: - Basic Networking can probably be merged with Advanced Networking with Direct Attached - Isolated Networks are about the same as a VPC - We might be able to ditch the SSVM in most situations Any way, enough work to do! Wido
