The latest Xen Server install seems to have IPv6 disabled (just checked in my lab). Is it enabled in XCP?
(I may be showing my Xen ignorance here) - chip On Jul 30, 2012, at 9:24 AM, Hugo Trippaers <htrippa...@schubergphilis.com> wrote: > Hey Chip, > > Yeah, I want help :-) > > I just committed the sysctl.conf changes for the systemvm. This morning i > applied them to my test environment and they do the job. > > We could add the actual sysctl command to the vmops next to adding the IPv6 > ip6tables statements I think. > > Cheers, > > Hugo > > > -----Original Message----- > From: Chip Childers [mailto:chip.child...@sungard.com] > Sent: Monday, July 30, 2012 3:13 PM > To: cloudstack-dev@incubator.apache.org > Subject: Re: Disable IPv6 for systemvm > > On Mon, Jul 30, 2012 at 7:32 AM, Hugo Trippaers > <htrippa...@schubergphilis.com> wrote: >> By the way, we might want to add the same configuration to vmops for >> XenServer. >> >> Currently it is possible to have a tenant vm send a router advertisement on >> the isolated lan that is picked up by XenServer. Even though XenServer only >> has a bridge interface in the tenant lan that interface will be >> autoconfigured. A simple ping to the local all-node address (ff02::1) will >> tell you the mac off of the XenServer interface. As XenServer has ssh active >> on all interfaces you can directly connect to the ssh daemon on the >> XenServer. We only push a IPv4 firewall to the XenServer so the IPv6 >> firewall is default (ACCEPT everything). >> >> Still you only gain access to the ssh port, but that is something that >> should not be possible from a tenant lan. >> >> Cheers, >> >> Hugo > > As a provider, this one is even more concerning. Unless someone has an > objection, I'd agree with your solution. We can remove a DENY rule in the > future, after IPv6 support is added properly / completely. > > If you want help working up the fix for this, please let me know! > > -chip >
