-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/22/2015 11:05 PM, server24 Cloudstack wrote: > Hi Wido, > > was nice talking to you about this. > > On 5/21/2015 8:59 PM, Wido den Hollander wrote: > >> (IPv6) routers should send out RAs (Router Advertisements) with >> the managed-other-flag [0][1], telling Instances to ONLY use that >> routers as their default gateways and NOT to use SLAAC to >> autoconfigure their IP-Address. > > OK, so no autonomous flag > No, the "managed other flag" as described in RFC 4862. Meaning that the Routers should only be used as a default gateway and DHCPv6 should be used for obtaining a address. >> The (ip6tables) Security Groups should allow ICMPv6 by default. >> IPv6 traffic breaks really hard without ICMPv6 traffic, for >> example PMTU doesn't work properly and breaks IPv6 connections. > yes, and default ip(6)tables should be in place to block > VNC-related traffic except to the Virtual Console (as currently VNC > ports on IPv6 are world-wide-open in BASIC network)! > Yes, but in that case you are talking about the Console Proxy which should be firewalled properly. >> In CloudStack we might configure a /48, but tell it to hand out >> addresses for each instance from a /64 out of that /48. That >> means we can have 65k Instances in that pod. Some firewall >> policies block a complete /64 when they see malicious traffic >> coming from that subnet, so if the subnet is big enough we should >> try to keep all the IPv6 addresses from one Instance in the same >> /64 subnet. This could also simplify the iptable rules. > so one /48 per pod? RIRs provide either /48 or /32 (the latter to > the providers) IPv6 blocks. So this should then be configurable, > both per instance and per pod. One /48 per pod still looks large to > me.. > A /48 should be a possibility. If you only have a /64 available that should be no problem either. > On the other hand any prefix more specific than /64 could break > IPv6 features, so that there are at least some practical values to > rely on. >> Security grouping has to be extended to also support IPv6, but >> should allow ICMPv6 by default. > yes, ICMPv6 should be on by default (maybe it should be forced to > be always on for IPv6?). > >> At the end of June 2015 we want to keep a one-day meetup in >> Amsterdam with various developers to discuss some more details. > > great work and very good meeting, was a pleasure to be there. > > Thomas Moroder > > -- Incubatec GmbH - Srl Via Scurcia'str. 36, 39046 Ortisei(BZ), > ITALY Registered with the chamber of commerce of Bolzano the 8th of > November 2001 with REA-No. 168204 (s.c. of EUR 10.000 f.p.u.) > President: Thomas Moroder, VAT-No. IT 02283140214 Tel: > +39.0471796829 - Fax: +39.0471797949 > > IMPRINT: http://www.incubatec.com/imprint.html PRIVACY: > http://www.server24.it/informativa_completa.html > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVYJwhAAoJEAGbWC3bPspCWXEQAISPV1PdGWa6KOck9IsTVXBt jUTpyFyg+qnmlG+QQ3LWOFjXRVUvQroryBbxkBnEbNm5d5qOsKptwwOaXMOut4A2 Nv4WCcFlAjnj78c9C/mpJvqu+Bh/WLKy4mBaMEqLiSAzqoz+CPlaiubJ/TDXR+jp XSY3XNk/jhdI02QTPNHvYc1ZbWNjuZrb+YVqEzFLra25I0bfXuq2tcBVDEMr1zmA qQVfCabkAx/a8wW2wGnz2GSg1UFDJUHOb7c6bae9nE5wo1MYpXyjpO53IBpRQuPt +VMzkjyf75yS1LFel9zS/BzV97mgEBxux9Nb3M9f/ZJW0QvS9onZdIhYgCeDyxJe M/XTD6M0O+ha4mFaYTeSudWoQnv/ZZ1P5RuPTQyQRD4P7nSkorz6QOR/SVb+OhXG 7tqd0GaUS/OFTC69wBTN/t9m98mYRZ5s4XtuocE5DadHqIv5JslrKLzC2YJEWonm RqL2Gow0/h+k99esJatmCZq+6jXwsy9pIVsLspfDt+GKBOVw8sHNTDUPTvdVzffv Qa+gVl5gg9RvSonJ8xS7sHI/p/gDFJrN1lWzxl9YWyurjDKFz2zI0OWfOKGZdhrE Ywgzb+2ExzGSgLSE6AL8awLbl1N57TOlQI4SlfN7Ph4kaS2T9eCleAXP3BxPSXqK Hji1OI5/luKcQVyYqwaT =acrP -----END PGP SIGNATURE-----
