Good work guys, sorry could not attend. Can I stress people about also making this work in ADV zone + SG?
Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message ----- > From: "Wido den Hollander" <w...@widodh.nl> > To: dev@cloudstack.apache.org > Sent: Thursday, 21 May, 2015 19:59:34 > Subject: IPv6 ideas for Basic Networking > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > After the EU User Group meetup in London today I sat down with Rohit, > John Burwell and some other people and I wanted to ventilate the ideas > we/I came up with for IPv6 in BASIC networking. > > > (IPv6) routers should send out RAs (Router Advertisements) with the > managed-other-flag [0][1], telling Instances to ONLY use that routers > as their default gateways and NOT to use SLAAC to autoconfigure their > IP-Address. > > The management server should be told that a specific subnet can be > used within a pod, eg a /64. > > When a new IPv6 Address is requested the management server generates a > random new address in that subnet and checks if no duplicate exists. > If not, it stores the /128 (single IP) in the MySQL database and > configures the DHCPv6 server on the Virtual Router (VR). > > When the Instance boots it knowns that due to the "managed other flag" > in the RA that it should query DHCPv6 for acquiring a IPv6 address. > > The VR responds to the DHCPv6 request with a IPv6 address, DNS > servers, domain and maybe a NTP server. > > We ONLY store addresses we handed out, not with IPv4 where we store > every address. A address NOT stored in the database means it's not > handed out. > > The (ip6tables) Security Groups should allow ICMPv6 by default. IPv6 > traffic breaks really hard without ICMPv6 traffic, for example PMTU > doesn't work properly and breaks IPv6 connections. > > In CloudStack we might configure a /48, but tell it to hand out > addresses for each instance from a /64 out of that /48. That means we > can have 65k Instances in that pod. Some firewall policies block a > complete /64 when they see malicious traffic coming from that subnet, > so if the subnet is big enough we should try to keep all the IPv6 > addresses from one Instance in the same /64 subnet. This could also > simplify the iptable rules. > > To use this seems like a simple, but robust solution. The real > hardware routers do all the traffic forwarding and the VR only does > DHCPv6. > > Security grouping has to be extended to also support IPv6, but should > allow ICMPv6 by default. > > At the end of June 2015 we want to keep a one-day meetup in Amsterdam > with various developers to discuss some more details. > > Wido > > [0]: https://www.ietf.org/rfc/rfc5075.txt > [1]: https://www.ietf.org/rfc/rfc4861.txt > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQIcBAEBAgAGBQJVXisUAAoJEAGbWC3bPspCvTcQAJ09PKqwhhjGqF1TmpyfLKGE > Aup7qDQsHlGn4tnl09OIOoJo4RC2WMGV4d93jO3q1IM6moMNWMNrtOWqLrIhwnXg > zYvYvvJZQN8eYCL1eyz2sTb/pOo0LpIFB8E9QV2Tp6m0oL8jvpXXo4dobZBXAGAu > oCsqpdo3zFAG23DLAxRjEB+UoxtvwYbgyEDN97JRM3Da0PMPeTiwdtdOmb91w1sF > ZfvUQcf71Zdg2LHTV1LYiLynhrOpKtqrZ0MOI+RMxB4tdgdmA5dw5Ifp0pcrbCCR > VUeX4GPj+vOtlJWo677/j2napPuQA+Jev367PU3+vzO5nboWxEMtXMZZFQJ2wSbj > jpBldZm0AThEKkmCWjmi0UGJXH0sEIVyytvdo6p/W64L0a4wTF70A6FUtT5QT+mg > KHlBl40QVL57JKCEVYjdUtqVMPKbj3JwLu6N9vX4gxmNcv1CASOfn1/0F5pmN2mL > mMM+mF6FAl1VwNVCxyssnCOK1OkjrIbsLWNExrTFPPfrit4eSgRLTBpZML/EZQws > AnsUH7bLzvsBGJZUZP8tTksSw9N6gq3Zxr8/xGXEdcvL8NpUjPf6yVUjG3baKvnU > OE0JlpP2MiELP4M7RZoYDCnrXM8DAGy7ogu8n350o85+QfL3/b34NRcwPvIxKXqd > tX0aruUHc2IIy/5Mp2Dj > =RsNl > -----END PGP SIGNATURE-----
