Re: IPv6 ideas for Basic Networking

Fri, 22 May 2015 14:07:48 -0700 

Hi Wido,

was nice talking to you about this.

On 5/21/2015 8:59 PM, Wido den Hollander wrote:


(IPv6) routers should send out RAs (Router Advertisements) with the
managed-other-flag [0][1], telling Instances to ONLY use that routers
as their default gateways and NOT to use SLAAC to autoconfigure their
IP-Address.


OK, so no autonomous flag


The (ip6tables) Security Groups should allow ICMPv6 by default. IPv6
traffic breaks really hard without ICMPv6 traffic, for example PMTU
doesn't work properly and breaks IPv6 connections.
yes, and default ip(6)tables should be in place to block VNC-related traffic except to the Virtual Console (as currently VNC ports on IPv6 are world-wide-open in BASIC network)! 


In CloudStack we might configure a /48, but tell it to hand out
addresses for each instance from a /64 out of that /48. That means we
can have 65k Instances in that pod. Some firewall policies block a
complete /64 when they see malicious traffic coming from that subnet,
so if the subnet is big enough we should try to keep all the IPv6
addresses from one Instance in the same /64 subnet. This could also
simplify the iptable rules.
so one /48 per pod? RIRs provide either /48 or /32 (the latter to the providers) IPv6 blocks. So this should then be configurable, both per instance and per pod. One /48 per pod still looks large to me..
On the other hand any prefix more specific than /64 could break IPv6 features, so that there are at least some practical values to rely on. 
Security grouping has to be extended to also support IPv6, but should
allow ICMPv6 by default.
yes, ICMPv6 should be on by default (maybe it should be forced to be always on for IPv6?). 


At the end of June 2015 we want to keep a one-day meetup in Amsterdam
with various developers to discuss some more details.


great work and very good meeting, was a pleasure to be there.

Thomas Moroder

--
Incubatec GmbH - Srl
Via Scurcia'str. 36, 39046 Ortisei(BZ), ITALY
Registered with the chamber of commerce of Bolzano the 8th of November 2001 with REA-No. 168204 (s.c. of EUR 10.000 f.p.u.) 
President: Thomas Moroder, VAT-No. IT 02283140214
Tel: +39.0471796829 - Fax: +39.0471797949

IMPRINT:
http://www.incubatec.com/imprint.html
PRIVACY:
http://www.server24.it/informativa_completa.html

Reply via email to