-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
After the EU User Group meetup in London today I sat down with Rohit, John Burwell and some other people and I wanted to ventilate the ideas we/I came up with for IPv6 in BASIC networking. (IPv6) routers should send out RAs (Router Advertisements) with the managed-other-flag [0][1], telling Instances to ONLY use that routers as their default gateways and NOT to use SLAAC to autoconfigure their IP-Address. The management server should be told that a specific subnet can be used within a pod, eg a /64. When a new IPv6 Address is requested the management server generates a random new address in that subnet and checks if no duplicate exists. If not, it stores the /128 (single IP) in the MySQL database and configures the DHCPv6 server on the Virtual Router (VR). When the Instance boots it knowns that due to the "managed other flag" in the RA that it should query DHCPv6 for acquiring a IPv6 address. The VR responds to the DHCPv6 request with a IPv6 address, DNS servers, domain and maybe a NTP server. We ONLY store addresses we handed out, not with IPv4 where we store every address. A address NOT stored in the database means it's not handed out. The (ip6tables) Security Groups should allow ICMPv6 by default. IPv6 traffic breaks really hard without ICMPv6 traffic, for example PMTU doesn't work properly and breaks IPv6 connections. In CloudStack we might configure a /48, but tell it to hand out addresses for each instance from a /64 out of that /48. That means we can have 65k Instances in that pod. Some firewall policies block a complete /64 when they see malicious traffic coming from that subnet, so if the subnet is big enough we should try to keep all the IPv6 addresses from one Instance in the same /64 subnet. This could also simplify the iptable rules. To use this seems like a simple, but robust solution. The real hardware routers do all the traffic forwarding and the VR only does DHCPv6. Security grouping has to be extended to also support IPv6, but should allow ICMPv6 by default. At the end of June 2015 we want to keep a one-day meetup in Amsterdam with various developers to discuss some more details. Wido [0]: https://www.ietf.org/rfc/rfc5075.txt [1]: https://www.ietf.org/rfc/rfc4861.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVXisUAAoJEAGbWC3bPspCvTcQAJ09PKqwhhjGqF1TmpyfLKGE Aup7qDQsHlGn4tnl09OIOoJo4RC2WMGV4d93jO3q1IM6moMNWMNrtOWqLrIhwnXg zYvYvvJZQN8eYCL1eyz2sTb/pOo0LpIFB8E9QV2Tp6m0oL8jvpXXo4dobZBXAGAu oCsqpdo3zFAG23DLAxRjEB+UoxtvwYbgyEDN97JRM3Da0PMPeTiwdtdOmb91w1sF ZfvUQcf71Zdg2LHTV1LYiLynhrOpKtqrZ0MOI+RMxB4tdgdmA5dw5Ifp0pcrbCCR VUeX4GPj+vOtlJWo677/j2napPuQA+Jev367PU3+vzO5nboWxEMtXMZZFQJ2wSbj jpBldZm0AThEKkmCWjmi0UGJXH0sEIVyytvdo6p/W64L0a4wTF70A6FUtT5QT+mg KHlBl40QVL57JKCEVYjdUtqVMPKbj3JwLu6N9vX4gxmNcv1CASOfn1/0F5pmN2mL mMM+mF6FAl1VwNVCxyssnCOK1OkjrIbsLWNExrTFPPfrit4eSgRLTBpZML/EZQws AnsUH7bLzvsBGJZUZP8tTksSw9N6gq3Zxr8/xGXEdcvL8NpUjPf6yVUjG3baKvnU OE0JlpP2MiELP4M7RZoYDCnrXM8DAGy7ogu8n350o85+QfL3/b34NRcwPvIxKXqd tX0aruUHc2IIy/5Mp2Dj =RsNl -----END PGP SIGNATURE-----
