Re: IPV6 in Isolated/VPC networks

[Hean Seng]

I am very welcome on this ,  the near future may have almost all out of
IPv4, and will going to dependent on IPv6:

*   ipv4 only (default, for backward compatibility all
networks/offerings post-upgrade migrate to this option)
 *   ipv4-and-ipv6
 *   ipv6-only (this can be phase 1.b)

Also allow change of IPv6  IP , and  Secondary IPv6 as well, especially for
current Shared Network IPv6.




On Wed, Aug 11, 2021 at 8:27 PM Rohit Yadav 
wrote:

> Hi all,
>
> Thanks for your feedback and ideas, I've gone ahead with discussing them
> with Alex and came up with a PoC/design which can be implemented in the
> following phases:
>
>   *   Phase1: implement ipv6 support in isolated networks and VPC with
> static routing
>   *   Phase2: discuss and implement support for dynamic routing (TBD)
>
> For Phase1 here's the high-level proposal:
>
>   *   IPv6 address management:
>  *   At the zone level root-admin specifies a /64 public range that
> will be used for VRs, then they can add a /48, or /56 IPv6 range for guest
> networks (to be used by isolated networks and VPC tiers)
>  *   On creation of any IPv6 enabled isolated network or VPC tier,
> from the /48 or /56 block a /64 network is allocated/used
>  *   We assume SLAAC and autoconfiguration, no DHCPv6 in the zone
> (discuss: is privacy a concern, can privacy extensions rfc4941 of slaac be
> explored?)
>   *   Network offerings: root-admin can create new network offerings (with
> VPC too) that specifies a network stack option:
>  *   ipv4 only (default, for backward compatibility all
> networks/offerings post-upgrade migrate to this option)
>  *   ipv4-and-ipv6
>  *   ipv6-only (this can be phase 1.b)
>  *   A new routing option: static (phase1), dynamic (phase2, with
> multiple sub-options such as ospf/bgp etc...)
>   *   VR changes:
>  *   VR gets its guest and public nics set to inet6 auto
>  *   For each /64 allocated to guest network and VPC tiers, radvd is
> configured to do RA
>  *   Firewall: a new ipv6 zone/chain is created for ipv6 where ipv6
> firewall rules (ACLs, ingress, egress) are implemented; ACLs between VPC
> tiers are managed/implemented by ipv6 firewall on VR
>  *   It is assumed that static routes are created on the core/main
> router by the admin or automated using some scripts/tools; for this
> CloudStack will announce events with details of /64 networks and VR's
> public IPv6 address that can be consumed by a rabbitmq/message bus client
> (for example), or a custom cron job or script as part of orchestration.
> (this wouldn't be necessary for dynamic routing bgp with phase2)
>   *   Guest Networking: With SLAAC, it's easy for CloudStack to calculate
> allocate and use a /64 and determine the IPv6 address of VR nics and guest
> VM nics
>  *   A user create an isolated network/VPC with an offering that is
> ipv6 enabled
>  *   A user can manage firewall for the IPv6 address/guest nics;
> there'll be no port forward and LB feature though for IPv6
>  *   A users can run workloads in the guest VMs that listen on
> publically routable ipv6 addresses
>  *   Usage/billing etc continue to work, no change needed
>
> Network layout:
>
> [core/ISP router] -> [VR] -> [guest netwokr or VPC tier on a VLAN] ->
> [guest VMs/nics]
> *core/ISP router needs static routes to be added (manually or automated),
> assumes a /48 or /56 configured for the zone
>
> Thoughts, feedback?
>
> Proof-of-concept commentary: here's what I did to test the idea:
>
>   *   Created an isolated network and deployed a VM in my home lab
> The VR running on KVM has following nics
> eth0 - guest network
> eth1 - link local
> eth2 - public network
>
>   *   I setup a custom openwrt router on a RPi4 to serve as a toy-core
> router where I create a wan6 IPv6 tunnel using tunnel broker and I got a
> /48 allocated. My configuration looks like:
> /48 - 2001:470:ed36::/48 (allocated by tunnel broker)
> /64 - 2001:470:36:3e2::/64 (default allocated by)
>
> I create a LAN ipv6 (public network for CloudStack VR): at subnet/prefix 0:
> LAN IPv6 address: 2001:470:ed36:0::1/64
> Address mode: SLAAC+stateless DHCP (no dhcpv6)
>   *
>   *
> In the isolated VR, I enabled ipv6 as:
> net.ipv6.conf.all.disable_ipv6 = 0
> net.ipv6.conf.all.forwarding = 1
> net.ipv6.conf.all.accept_ra = 1
> net.ipv6.conf.all.accept_redirects = 1
> net.ipv6.conf.all.autoconf = 1
>
> Set up a IPv6 nameserver/dns in /etc/resolve.conf
> And configured the nics:
> echo iface eth0 inet6 auto >> /etc/network/interfaces
> echo iface eth2 inet6 auto >> /etc/network/interfaces
> /etc/init.d/networking restart
> Next, restart ACS isolated network without cleanup to have it reconfigure
> IPv4 nics, firewall, NAT etc
>
>   *
> Next, I created a /64 network for the isolated guest network on eth0 of VR
> using radvd:
>
> # cat /etc/radvd.conf
> interface eth0
> {
> AdvSendAdvert on;
> MinRtrAdvInterval 5;
> MaxRtrAdvInterval 15;
> prefix 2001:470:e

Re: IPV6 in Isolated/VPC networks

[Rohit Yadav]

Hi all,

Thanks for your feedback and ideas, I've gone ahead with discussing them with 
Alex and came up with a PoC/design which can be implemented in the following 
phases:

  *   Phase1: implement ipv6 support in isolated networks and VPC with static 
routing
  *   Phase2: discuss and implement support for dynamic routing (TBD)

For Phase1 here's the high-level proposal:

  *   IPv6 address management:
 *   At the zone level root-admin specifies a /64 public range that will be 
used for VRs, then they can add a /48, or /56 IPv6 range for guest networks (to 
be used by isolated networks and VPC tiers)
 *   On creation of any IPv6 enabled isolated network or VPC tier, from the 
/48 or /56 block a /64 network is allocated/used
 *   We assume SLAAC and autoconfiguration, no DHCPv6 in the zone (discuss: 
is privacy a concern, can privacy extensions rfc4941 of slaac be explored?)
  *   Network offerings: root-admin can create new network offerings (with VPC 
too) that specifies a network stack option:
 *   ipv4 only (default, for backward compatibility all networks/offerings 
post-upgrade migrate to this option)
 *   ipv4-and-ipv6
 *   ipv6-only (this can be phase 1.b)
 *   A new routing option: static (phase1), dynamic (phase2, with multiple 
sub-options such as ospf/bgp etc...)
  *   VR changes:
 *   VR gets its guest and public nics set to inet6 auto
 *   For each /64 allocated to guest network and VPC tiers, radvd is 
configured to do RA
 *   Firewall: a new ipv6 zone/chain is created for ipv6 where ipv6 
firewall rules (ACLs, ingress, egress) are implemented; ACLs between VPC tiers 
are managed/implemented by ipv6 firewall on VR
 *   It is assumed that static routes are created on the core/main router 
by the admin or automated using some scripts/tools; for this CloudStack will 
announce events with details of /64 networks and VR's public IPv6 address that 
can be consumed by a rabbitmq/message bus client (for example), or a custom 
cron job or script as part of orchestration. (this wouldn't be necessary for 
dynamic routing bgp with phase2)
  *   Guest Networking: With SLAAC, it's easy for CloudStack to calculate 
allocate and use a /64 and determine the IPv6 address of VR nics and guest VM 
nics
 *   A user create an isolated network/VPC with an offering that is ipv6 
enabled
 *   A user can manage firewall for the IPv6 address/guest nics; there'll 
be no port forward and LB feature though for IPv6
 *   A users can run workloads in the guest VMs that listen on publically 
routable ipv6 addresses
 *   Usage/billing etc continue to work, no change needed

Network layout:

[core/ISP router] -> [VR] -> [guest netwokr or VPC tier on a VLAN] -> [guest 
VMs/nics]
*core/ISP router needs static routes to be added (manually or automated), 
assumes a /48 or /56 configured for the zone

Thoughts, feedback?

Proof-of-concept commentary: here's what I did to test the idea:

  *   Created an isolated network and deployed a VM in my home lab
The VR running on KVM has following nics
eth0 - guest network
eth1 - link local
eth2 - public network

  *   I setup a custom openwrt router on a RPi4 to serve as a toy-core router 
where I create a wan6 IPv6 tunnel using tunnel broker and I got a /48 
allocated. My configuration looks like:
/48 - 2001:470:ed36::/48 (allocated by tunnel broker)
/64 - 2001:470:36:3e2::/64 (default allocated by)

I create a LAN ipv6 (public network for CloudStack VR): at subnet/prefix 0:
LAN IPv6 address: 2001:470:ed36:0::1/64
Address mode: SLAAC+stateless DHCP (no dhcpv6)
  *
  *
In the isolated VR, I enabled ipv6 as:
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.accept_ra = 1
net.ipv6.conf.all.accept_redirects = 1
net.ipv6.conf.all.autoconf = 1

Set up a IPv6 nameserver/dns in /etc/resolve.conf
And configured the nics:
echo iface eth0 inet6 auto >> /etc/network/interfaces
echo iface eth2 inet6 auto >> /etc/network/interfaces
/etc/init.d/networking restart
Next, restart ACS isolated network without cleanup to have it reconfigure IPv4 
nics, firewall, NAT etc

  *
Next, I created a /64 network for the isolated guest network on eth0 of VR 
using radvd:

# cat /etc/radvd.conf
interface eth0
{
AdvSendAdvert on;
MinRtrAdvInterval 5;
MaxRtrAdvInterval 15;
prefix 2001:470:ed36:1::/64
{
AdvOnLink on;
AdvAutonomous on;
};
};
systemctl restart radvd
All guest VMs nics and VR's eth0 gets IPv6 address (SLAAC) in this ...:1::/64 
network
  *   Finally I added a static route in toy core-router for the new /64 IPv6 
range in the isolated network
2001:470:ed36:1::/64 via  dev 
  *
... and I enabled firewall rules to allow any traffic to pass for the new /64 
network

And voila all done! I create a domain  record that points to my guest VM 
IPv6 address a test webserver on
http://ipv6-isolated-ntwk-demo.yadav.cloud/

(Note: I'll get rid of the tunnel and request a new /48 bl

Re: 2FA

[Rohit Yadav]

Hi Rakesh,

We have a user authentication/login framework that you can extend to do 2FA. 
Something like (throwing ideas at you):

  *   Implement separate API to do 2FA (general purpose) and implement 2FA 
plugin-framework (plugins can be sms, captcha, google authenticator)
  *   In UI - the 2FA are called to show/pass a challenge (for example, sms 
code, google auth code etc) that users inputs in a field
  *   When user enters credentials and 2FA code and submits, the login API 
piggybacks the new 2FA code as a parameter which is handled by the backend auth 
framework in a generic way, passed to 2FA framework to check (which calls a 
check() method by the configured 2FA plugin) - on pass it does not do anything, 
on fail it throws an exception and invalidates the login

If you want to do something really quick as Simon suggests, you can enable SAML 
based single-sign-on and enable 2FA on the SAML IDP.

Regards.


From: David Jumani 
Sent: Wednesday, August 11, 2021 09:49
To: users ; dev 
Subject: Re: 2FA

Hi Rakesh,

MFA is generally done via an IAM rather than on a per-application basis. As 
Simon had mentioned, CloudStack does support SAML / LDAP so, in a general / 
corporate use case, the MFA would go there. So I do not think adding support 
for 2FA will add any significant benefit
That being said, I'll be happy to review any PR that's raised

From: Simon Weller 
Sent: Wednesday, August 11, 2021 12:31 AM
To: users ; dev 
Subject: Re: 2FA

Rakesh,

ACS does support SAML2 and in order to deploy 2FA/MFA, you could integrate it 
with an Identity and Access Management System such as Keycloak 
(https://www.keycloak.org/).

-Si


From: Rakesh Venkatesh 
http://www.rakeshv@gmail.com>>
Sent: Tuesday, August 10, 2021 4:34 AM
To: users ; dev 
Subject: 2FA

Hello

Has anyone thought about 2FA or about how to implement it in cloudstack?
Looks like this will be good addition to enhance the security. I have some
idea about implementing in the backend but dont have much idea on how to
display the QR code in ui or other functionalities which is needed for
frontend part.

--
Thanks and regards
Rakesh




 

Using local storage KVM recommendation.

[avi]

Hello All,

I am testing out cloudstack  4.15.1 with KVM hosts. I have three host. Two of 
them have local storage of 20 TB each(the server were used for different 
purpose before). So, how shall I proceed towards setting up Cloudstack 
environment with host ha (if possible). Will this be possible if I use storage 
like glusterfs and setup mirroring between two host. Are there any other 
solution that I can look into to take advantage of Host HA  with my available 
infrastructure. Tested out the environment with nfs share from local storage 
and all is working well. But host ha is something very important. I will be 
very grateful for any kind of suggestion to setup cloudstack environment with 
my available infrastructure(if possible).

Thank You.

IPv6 dhcp problem

[Mustafa KALIR]

Hello there,

I installed Cloudstack System with Advanced Zone. And I defined IPv6. However, 
the centos 7 template I prepared does not pull the ipv6 information. How can i 
solve this problem. The below document does not work.

https://docs.cloudstack.apache.org/en/latest/plugins/ipv6.html

Can multiple accounts share a VPC?

[小林 美佳子]

Hi.

I would like to use a single VPC for multiple accounts, is that possible?
Image.
VPC1 / accountA&accountB
- network1 / accountA&accountB
- VM1 / accountA
- VM2 / accountB

I am using CloudStack 4.11.