You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cloudstack.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2017/01/27 00:14:25 UTC

[jira] [Commented] (CLOUDSTACK-676) Firewall / ACL support for ipv6

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-676?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15840730#comment-15840730 ] 

ASF subversion and git services commented on CLOUDSTACK-676:
------------------------------------------------------------

Commit 84e496b4f9d06915fb07e3da330ca270e1e56ec2 in cloudstack's branch refs/heads/master from [~widodh]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=84e496b ]

CLOUDSTACK-676: IPv6 Basic Security Grouping for KVM

This commit implements basic Security Grouping for KVM in
Basic Networking.

It does not implement full Security Grouping yet, but it does:
- Prevent IP-Address source spoofing
- Allow DHCPv6 clients, but disallow DHCPv6 servers
- Disallow Instances to send out Router Advertisements

The Security Grouping allows ICMPv6 packets as described by RFC4890
as they are essential for IPv6 connectivity.

Following RFC4890 it allows:
- Router Solicitations
- Router Advertisements (incoming only)
- Neighbor Advertisements
- Neighbor Solicitations
- Packet Too Big
- Time Exceeded
- Destination Unreachable
- Parameter Problem
- Echo Request

ICMPv6 is a essential part of IPv6, without it connectivity will break or be very
unreliable.

For now it allows any UDP and TCP packet to be send in to the Instance which
effectively opens up the firewall completely.

Future commits will implement Security Grouping further which allows controlling UDP and TCP
ports for IPv6 like can be done with IPv4.

Regardless of the egress filtering (which can't be done yet) it will always allow outbound DNS
to port 53 over UDP or TCP.

Signed-off-by: Wido den Hollander <wi...@widodh.nl>


> Firewall / ACL support for ipv6
> -------------------------------
>
>                 Key: CLOUDSTACK-676
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-676
>             Project: CloudStack
>          Issue Type: Sub-task
>      Security Level: Public(Anyone can view this level - this is the default.) 
>            Reporter: Chiradeep Vittal
>            Assignee: Wido den Hollander
>             Fix For: Future
>
>
> An ability to specify a firewall / ACL rule set for a subnet which has instances with ipv6 addresses. The implementation can be at the VR level, at the hypervisor level or in an external firewall



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)