You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cloudstack.apache.org by Hugo Trippaers <HT...@schubergphilis.com> on 2012/07/30 13:20:18 UTC

Disable IPv6 for systemvm

Hey guys,

The current systemvm has IPv6 enabled including autoconfiguration. This means that if the machine is placed in an IPv6 enabled network (or somebody starts sending router advertisements) the VM's based on the system vm will autoconfigure the interface. This means a possible way to bypass the installed firewall as the IPv6 firewall is set to accept everything opposite to the IPv4 firewall which is restricted.

My proposal is to include the following in sysctl.conf (at least until we properly support IPv6):
# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.autoconf = 0

If no objections I would like to commit this change.

Cheers,

Hugo

Re: Disable IPv6 for systemvm

Posted by Chip Childers <ch...@sungard.com>.

On Mon, Jul 30, 2012 at 7:20 AM, Hugo Trippaers
<HT...@schubergphilis.com> wrote:
> Hey guys,
>
> The current systemvm has IPv6 enabled including autoconfiguration. This means that if the machine is placed in an IPv6 enabled network (or somebody starts sending router advertisements) the VM's based on the system vm will autoconfigure the interface. This means a possible way to bypass the installed firewall as the IPv6 firewall is set to accept everything opposite to the IPv4 firewall which is restricted.
>
> My proposal is to include the following in sysctl.conf (at least until we properly support IPv6):
> # Disable IPv6
> net.ipv6.conf.all.disable_ipv6 = 1
> net.ipv6.conf.all.forwarding = 0
> net.ipv6.conf.all.accept_ra = 0
> net.ipv6.conf.all.accept_redirects = 0
> net.ipv6.conf.all.autoconf = 0
>
> If no objections I would like to commit this change.
>
> Cheers,
>
> Hugo

+1 - This seems pretty important to fix.

Re: Disable IPv6 for systemvm

Posted by David Nalley <da...@gnsa.us>.

On Mon, Jul 30, 2012 at 11:43 AM, Hugo Trippaers
<HT...@schubergphilis.com> wrote:
> Hey,
>
> I just pushed a fix that will disable IPv6 immediately and reinstate the disable-ipv6 file. This should take care of the current situation for people with the support pack. So far my testing has revealed no adverse effects.
>
> Anybody any idea why IPv6 support is enabled by the cloud support pack?
> What about distribution of the support pack, it is currently available from downloads.cloud.com, how do we deal with this in release 4.0?
>


CSP is a XenServer addon, not a CloudStack addon, so I'd really expect
it to be available from some XenServer download page.

--David

RE: Disable IPv6 for systemvm

Posted by Hugo Trippaers <HT...@schubergphilis.com>.

Hey,

I just pushed a fix that will disable IPv6 immediately and reinstate the disable-ipv6 file. This should take care of the current situation for people with the support pack. So far my testing has revealed no adverse effects. 

Anybody any idea why IPv6 support is enabled by the cloud support pack? 
What about distribution of the support pack, it is currently available from downloads.cloud.com, how do we deal with this in release 4.0?

Cheers,

Hugo

-----Original Message-----
From: Chip Childers [mailto:chip.childers@sungard.com] 
Sent: Monday, July 30, 2012 5:11 PM
To: cloudstack-dev@incubator.apache.org
Subject: Re: Disable IPv6 for systemvm

Indeed - I'm testing in an advanced networking zone, so we didn't bother doing the support pack installation.  That would be the difference.

I think your scripts will work, excluding the error condition that my environment introduces.  IMO - if that pack isn't required, then we should expect to see environments like the one I'm using right now.

-chip

On Mon, Jul 30, 2012 at 11:07 AM, Hugo Trippaers <HT...@schubergphilis.com> wrote:
> Hey Chip,
>
> Think I found it.  Do you have the cloud support pack (http://download.cloud.com/releases/3.0.1/XS-6.0.2/xenserver-cloud-supp.tgz ) installed? My guess is you don't.
>
> During the firstboot of xen the file " /etc/modprobe.d/disable-ipv6" is removed by that pack. This enables IPv6, which is indeed disabled by default by XenServer.
>
> We (or actually the Cloudstack basic install guide) actively promotes that this should be installed to enable security groups.
>
> Cheers,
>
> Hugo
>
> -----Original Message-----
> From: Chip Childers [mailto:chip.childers@sungard.com]
> Sent: Monday, July 30, 2012 4:57 PM
> To: cloudstack-dev@incubator.apache.org
> Subject: Re: Disable IPv6 for systemvm
>
> Looks like we are using the same version, but different configuration?:
>
> # uname -a
> Linux xshost2 2.6.32.12-0.7.1.xs6.0.2.542.170665xen #1 SMP Tue Jan 17
> 15:14:24 EST 2012 i686 i686 i386 GNU/Linux
>
> # cat /etc/redhat-release
> XenServer release 6.0.2-53456p (xenenterprise)
>
> # ls /proc/sys/net/ipv6/conf/all/autoconf
> ls: /proc/sys/net/ipv6/conf/all/autoconf: No such file or directory
>
> I can't get a simpel ipv6 table list, because the protocol # ip6tables -L ip6tables v1.3.5: can't initialize ip6tables table `filter': Address family not supported by protocol Perhaps ip6tables or your kernel needs to be upgraded.
>
> The ip6tables commands will fail with the above error if it's not enabled.  Other than that, I think the script would work (if v6 is enabled on the host).
>
> On Mon, Jul 30, 2012 at 10:44 AM, Hugo Trippaers <HT...@schubergphilis.com> wrote:
>> Hey Chip,
>>
>> Interesting, which version are you using?
>>
>> My box:
>> Linux XXXXXX 2.6.32.12-0.7.1.xs6.0.2.542.170665xen #1 SMP Tue Jan 17
>> 15:14:24 EST 2012 i686 i686 i386 GNU/Linux [root@XXXXX ~]# cat 
>> /etc/redhat-release XenServer release 6.0.2-53456p (xenenterprise) 
>> [root@XXXXX ~]# ls /proc/sys/net/ipv6/conf/all/autoconf
>> /proc/sys/net/ipv6/conf/all/autoconf
>> [root@XXXXX ~]# cat /proc/sys/net/ipv6/conf/all/autoconf
>> 1
>>
>> Btw I plan to add this to setupxenserver.sh:
>> # setup ip6tables
>> if [ -x "/sbin/ip6tables" ] ; then
>>     /sbin/ip6tables -P INPUT DROP
>>     /sbin/ip6tables -P OUTPUT DROP
>>     /sbin/ip6tables -P FORWARD DROP
>>     if [ -x "/etc/init.d/ip6tables" ] ; then
>>         /etc/init.d/ip6tables save
>>     fi
>> fi
>>
>> # disable IPv6
>> if [ -d "/proc/sys/net/ipv6/conf/all" ] ; then
>>     /sbin/sysctl -w net.ipv6.conf.all.forwarding=0
>>     /sbin/sysctl -w net.ipv6.conf.all.accept_ra=0
>>     /sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0
>>     /sbin/sysctl -w net.ipv6.conf.all.autoconf=0
>>     /sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1 fi
>>
>> Cheers,
>>
>> Hugo
>>
>> -----Original Message-----
>> From: Chip Childers [mailto:chip.childers@sungard.com]
>> Sent: Monday, July 30, 2012 4:06 PM
>> To: <cl...@incubator.apache.org>
>> Subject: Re: Disable IPv6 for systemvm
>>
>> The latest Xen Server install seems to have IPv6 disabled (just checked in my lab). Is it enabled in XCP?
>>
>> (I may be showing my Xen ignorance here)
>>
>> - chip
>>
>> On Jul 30, 2012, at 9:24 AM, Hugo Trippaers <HT...@schubergphilis.com> wrote:
>>
>>> Hey Chip,
>>>
>>> Yeah, I want help :-)
>>>
>>> I just committed the sysctl.conf changes for the systemvm. This morning i applied them to my test environment and they do the job.
>>>
>>> We could add the actual sysctl command to the vmops next to adding the IPv6 ip6tables statements I think.
>>>
>>> Cheers,
>>>
>>> Hugo
>>>
>>>
>>> -----Original Message-----
>>> From: Chip Childers [mailto:chip.childers@sungard.com]
>>> Sent: Monday, July 30, 2012 3:13 PM
>>> To: cloudstack-dev@incubator.apache.org
>>> Subject: Re: Disable IPv6 for systemvm
>>>
>>> On Mon, Jul 30, 2012 at 7:32 AM, Hugo Trippaers <HT...@schubergphilis.com> wrote:
>>>> By the way, we might want to add the same configuration to vmops for XenServer.
>>>>
>>>> Currently it is possible to have a tenant vm send a router advertisement on the isolated lan that is picked up by XenServer. Even though XenServer only has a bridge interface in the tenant lan that interface will be autoconfigured. A simple ping to the local all-node address (ff02::1) will tell you the mac off of the XenServer interface. As XenServer has ssh active on all interfaces you can directly connect to the ssh daemon on the XenServer. We only push a IPv4 firewall to the XenServer so the IPv6 firewall is default (ACCEPT everything).
>>>>
>>>> Still you only gain access to the ssh port, but that is something that should not be possible from a tenant lan.
>>>>
>>>> Cheers,
>>>>
>>>> Hugo
>>>
>>> As a provider, this one is even more concerning.  Unless someone has an objection, I'd agree with your solution.  We can remove a DENY rule in the future, after IPv6 support is added properly / completely.
>>>
>>> If you want help working up the fix for this, please let me know!
>>>
>>> -chip
>>>
>>
>

Re: Disable IPv6 for systemvm

Posted by Chip Childers <ch...@sungard.com>.

Indeed - I'm testing in an advanced networking zone, so we didn't
bother doing the support pack installation.  That would be the
difference.

I think your scripts will work, excluding the error condition that my
environment introduces.  IMO - if that pack isn't required, then we
should expect to see environments like the one I'm using right now.

-chip

On Mon, Jul 30, 2012 at 11:07 AM, Hugo Trippaers
<HT...@schubergphilis.com> wrote:
> Hey Chip,
>
> Think I found it.  Do you have the cloud support pack (http://download.cloud.com/releases/3.0.1/XS-6.0.2/xenserver-cloud-supp.tgz ) installed? My guess is you don't.
>
> During the firstboot of xen the file " /etc/modprobe.d/disable-ipv6" is removed by that pack. This enables IPv6, which is indeed disabled by default by XenServer.
>
> We (or actually the Cloudstack basic install guide) actively promotes that this should be installed to enable security groups.
>
> Cheers,
>
> Hugo
>
> -----Original Message-----
> From: Chip Childers [mailto:chip.childers@sungard.com]
> Sent: Monday, July 30, 2012 4:57 PM
> To: cloudstack-dev@incubator.apache.org
> Subject: Re: Disable IPv6 for systemvm
>
> Looks like we are using the same version, but different configuration?:
>
> # uname -a
> Linux xshost2 2.6.32.12-0.7.1.xs6.0.2.542.170665xen #1 SMP Tue Jan 17
> 15:14:24 EST 2012 i686 i686 i386 GNU/Linux
>
> # cat /etc/redhat-release
> XenServer release 6.0.2-53456p (xenenterprise)
>
> # ls /proc/sys/net/ipv6/conf/all/autoconf
> ls: /proc/sys/net/ipv6/conf/all/autoconf: No such file or directory
>
> I can't get a simpel ipv6 table list, because the protocol # ip6tables -L ip6tables v1.3.5: can't initialize ip6tables table `filter': Address family not supported by protocol Perhaps ip6tables or your kernel needs to be upgraded.
>
> The ip6tables commands will fail with the above error if it's not enabled.  Other than that, I think the script would work (if v6 is enabled on the host).
>
> On Mon, Jul 30, 2012 at 10:44 AM, Hugo Trippaers <HT...@schubergphilis.com> wrote:
>> Hey Chip,
>>
>> Interesting, which version are you using?
>>
>> My box:
>> Linux XXXXXX 2.6.32.12-0.7.1.xs6.0.2.542.170665xen #1 SMP Tue Jan 17
>> 15:14:24 EST 2012 i686 i686 i386 GNU/Linux [root@XXXXX ~]# cat
>> /etc/redhat-release XenServer release 6.0.2-53456p (xenenterprise)
>> [root@XXXXX ~]# ls /proc/sys/net/ipv6/conf/all/autoconf
>> /proc/sys/net/ipv6/conf/all/autoconf
>> [root@XXXXX ~]# cat /proc/sys/net/ipv6/conf/all/autoconf
>> 1
>>
>> Btw I plan to add this to setupxenserver.sh:
>> # setup ip6tables
>> if [ -x "/sbin/ip6tables" ] ; then
>>     /sbin/ip6tables -P INPUT DROP
>>     /sbin/ip6tables -P OUTPUT DROP
>>     /sbin/ip6tables -P FORWARD DROP
>>     if [ -x "/etc/init.d/ip6tables" ] ; then
>>         /etc/init.d/ip6tables save
>>     fi
>> fi
>>
>> # disable IPv6
>> if [ -d "/proc/sys/net/ipv6/conf/all" ] ; then
>>     /sbin/sysctl -w net.ipv6.conf.all.forwarding=0
>>     /sbin/sysctl -w net.ipv6.conf.all.accept_ra=0
>>     /sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0
>>     /sbin/sysctl -w net.ipv6.conf.all.autoconf=0
>>     /sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1 fi
>>
>> Cheers,
>>
>> Hugo
>>
>> -----Original Message-----
>> From: Chip Childers [mailto:chip.childers@sungard.com]
>> Sent: Monday, July 30, 2012 4:06 PM
>> To: <cl...@incubator.apache.org>
>> Subject: Re: Disable IPv6 for systemvm
>>
>> The latest Xen Server install seems to have IPv6 disabled (just checked in my lab). Is it enabled in XCP?
>>
>> (I may be showing my Xen ignorance here)
>>
>> - chip
>>
>> On Jul 30, 2012, at 9:24 AM, Hugo Trippaers <HT...@schubergphilis.com> wrote:
>>
>>> Hey Chip,
>>>
>>> Yeah, I want help :-)
>>>
>>> I just committed the sysctl.conf changes for the systemvm. This morning i applied them to my test environment and they do the job.
>>>
>>> We could add the actual sysctl command to the vmops next to adding the IPv6 ip6tables statements I think.
>>>
>>> Cheers,
>>>
>>> Hugo
>>>
>>>
>>> -----Original Message-----
>>> From: Chip Childers [mailto:chip.childers@sungard.com]
>>> Sent: Monday, July 30, 2012 3:13 PM
>>> To: cloudstack-dev@incubator.apache.org
>>> Subject: Re: Disable IPv6 for systemvm
>>>
>>> On Mon, Jul 30, 2012 at 7:32 AM, Hugo Trippaers <HT...@schubergphilis.com> wrote:
>>>> By the way, we might want to add the same configuration to vmops for XenServer.
>>>>
>>>> Currently it is possible to have a tenant vm send a router advertisement on the isolated lan that is picked up by XenServer. Even though XenServer only has a bridge interface in the tenant lan that interface will be autoconfigured. A simple ping to the local all-node address (ff02::1) will tell you the mac off of the XenServer interface. As XenServer has ssh active on all interfaces you can directly connect to the ssh daemon on the XenServer. We only push a IPv4 firewall to the XenServer so the IPv6 firewall is default (ACCEPT everything).
>>>>
>>>> Still you only gain access to the ssh port, but that is something that should not be possible from a tenant lan.
>>>>
>>>> Cheers,
>>>>
>>>> Hugo
>>>
>>> As a provider, this one is even more concerning.  Unless someone has an objection, I'd agree with your solution.  We can remove a DENY rule in the future, after IPv6 support is added properly / completely.
>>>
>>> If you want help working up the fix for this, please let me know!
>>>
>>> -chip
>>>
>>
>

RE: Disable IPv6 for systemvm

Posted by Hugo Trippaers <HT...@schubergphilis.com>.

Hey Chip,

Think I found it.  Do you have the cloud support pack (http://download.cloud.com/releases/3.0.1/XS-6.0.2/xenserver-cloud-supp.tgz ) installed? My guess is you don't.

During the firstboot of xen the file " /etc/modprobe.d/disable-ipv6" is removed by that pack. This enables IPv6, which is indeed disabled by default by XenServer.

We (or actually the Cloudstack basic install guide) actively promotes that this should be installed to enable security groups.

Cheers,

Hugo

-----Original Message-----
From: Chip Childers [mailto:chip.childers@sungard.com] 
Sent: Monday, July 30, 2012 4:57 PM
To: cloudstack-dev@incubator.apache.org
Subject: Re: Disable IPv6 for systemvm

Looks like we are using the same version, but different configuration?:

# uname -a
Linux xshost2 2.6.32.12-0.7.1.xs6.0.2.542.170665xen #1 SMP Tue Jan 17
15:14:24 EST 2012 i686 i686 i386 GNU/Linux

# cat /etc/redhat-release
XenServer release 6.0.2-53456p (xenenterprise)

# ls /proc/sys/net/ipv6/conf/all/autoconf
ls: /proc/sys/net/ipv6/conf/all/autoconf: No such file or directory

I can't get a simpel ipv6 table list, because the protocol # ip6tables -L ip6tables v1.3.5: can't initialize ip6tables table `filter': Address family not supported by protocol Perhaps ip6tables or your kernel needs to be upgraded.

The ip6tables commands will fail with the above error if it's not enabled.  Other than that, I think the script would work (if v6 is enabled on the host).

On Mon, Jul 30, 2012 at 10:44 AM, Hugo Trippaers <HT...@schubergphilis.com> wrote:
> Hey Chip,
>
> Interesting, which version are you using?
>
> My box:
> Linux XXXXXX 2.6.32.12-0.7.1.xs6.0.2.542.170665xen #1 SMP Tue Jan 17 
> 15:14:24 EST 2012 i686 i686 i386 GNU/Linux [root@XXXXX ~]# cat 
> /etc/redhat-release XenServer release 6.0.2-53456p (xenenterprise) 
> [root@XXXXX ~]# ls /proc/sys/net/ipv6/conf/all/autoconf
> /proc/sys/net/ipv6/conf/all/autoconf
> [root@XXXXX ~]# cat /proc/sys/net/ipv6/conf/all/autoconf
> 1
>
> Btw I plan to add this to setupxenserver.sh:
> # setup ip6tables
> if [ -x "/sbin/ip6tables" ] ; then
>     /sbin/ip6tables -P INPUT DROP
>     /sbin/ip6tables -P OUTPUT DROP
>     /sbin/ip6tables -P FORWARD DROP
>     if [ -x "/etc/init.d/ip6tables" ] ; then
>         /etc/init.d/ip6tables save
>     fi
> fi
>
> # disable IPv6
> if [ -d "/proc/sys/net/ipv6/conf/all" ] ; then
>     /sbin/sysctl -w net.ipv6.conf.all.forwarding=0
>     /sbin/sysctl -w net.ipv6.conf.all.accept_ra=0
>     /sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0
>     /sbin/sysctl -w net.ipv6.conf.all.autoconf=0
>     /sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1 fi
>
> Cheers,
>
> Hugo
>
> -----Original Message-----
> From: Chip Childers [mailto:chip.childers@sungard.com]
> Sent: Monday, July 30, 2012 4:06 PM
> To: <cl...@incubator.apache.org>
> Subject: Re: Disable IPv6 for systemvm
>
> The latest Xen Server install seems to have IPv6 disabled (just checked in my lab). Is it enabled in XCP?
>
> (I may be showing my Xen ignorance here)
>
> - chip
>
> On Jul 30, 2012, at 9:24 AM, Hugo Trippaers <HT...@schubergphilis.com> wrote:
>
>> Hey Chip,
>>
>> Yeah, I want help :-)
>>
>> I just committed the sysctl.conf changes for the systemvm. This morning i applied them to my test environment and they do the job.
>>
>> We could add the actual sysctl command to the vmops next to adding the IPv6 ip6tables statements I think.
>>
>> Cheers,
>>
>> Hugo
>>
>>
>> -----Original Message-----
>> From: Chip Childers [mailto:chip.childers@sungard.com]
>> Sent: Monday, July 30, 2012 3:13 PM
>> To: cloudstack-dev@incubator.apache.org
>> Subject: Re: Disable IPv6 for systemvm
>>
>> On Mon, Jul 30, 2012 at 7:32 AM, Hugo Trippaers <HT...@schubergphilis.com> wrote:
>>> By the way, we might want to add the same configuration to vmops for XenServer.
>>>
>>> Currently it is possible to have a tenant vm send a router advertisement on the isolated lan that is picked up by XenServer. Even though XenServer only has a bridge interface in the tenant lan that interface will be autoconfigured. A simple ping to the local all-node address (ff02::1) will tell you the mac off of the XenServer interface. As XenServer has ssh active on all interfaces you can directly connect to the ssh daemon on the XenServer. We only push a IPv4 firewall to the XenServer so the IPv6 firewall is default (ACCEPT everything).
>>>
>>> Still you only gain access to the ssh port, but that is something that should not be possible from a tenant lan.
>>>
>>> Cheers,
>>>
>>> Hugo
>>
>> As a provider, this one is even more concerning.  Unless someone has an objection, I'd agree with your solution.  We can remove a DENY rule in the future, after IPv6 support is added properly / completely.
>>
>> If you want help working up the fix for this, please let me know!
>>
>> -chip
>>
>

Re: Disable IPv6 for systemvm

Posted by Chip Childers <ch...@sungard.com>.

Looks like we are using the same version, but different configuration?:

# uname -a
Linux xshost2 2.6.32.12-0.7.1.xs6.0.2.542.170665xen #1 SMP Tue Jan 17
15:14:24 EST 2012 i686 i686 i386 GNU/Linux

# cat /etc/redhat-release
XenServer release 6.0.2-53456p (xenenterprise)

# ls /proc/sys/net/ipv6/conf/all/autoconf
ls: /proc/sys/net/ipv6/conf/all/autoconf: No such file or directory

I can't get a simpel ipv6 table list, because the protocol
# ip6tables -L
ip6tables v1.3.5: can't initialize ip6tables table `filter': Address
family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.

The ip6tables commands will fail with the above error if it's not
enabled.  Other than that, I think the script would work (if v6 is
enabled on the host).

On Mon, Jul 30, 2012 at 10:44 AM, Hugo Trippaers
<HT...@schubergphilis.com> wrote:
> Hey Chip,
>
> Interesting, which version are you using?
>
> My box:
> Linux XXXXXX 2.6.32.12-0.7.1.xs6.0.2.542.170665xen #1 SMP Tue Jan 17 15:14:24 EST 2012 i686 i686 i386 GNU/Linux
> [root@XXXXX ~]# cat /etc/redhat-release
> XenServer release 6.0.2-53456p (xenenterprise)
> [root@XXXXX ~]# ls /proc/sys/net/ipv6/conf/all/autoconf
> /proc/sys/net/ipv6/conf/all/autoconf
> [root@XXXXX ~]# cat /proc/sys/net/ipv6/conf/all/autoconf
> 1
>
> Btw I plan to add this to setupxenserver.sh:
> # setup ip6tables
> if [ -x "/sbin/ip6tables" ] ; then
>     /sbin/ip6tables -P INPUT DROP
>     /sbin/ip6tables -P OUTPUT DROP
>     /sbin/ip6tables -P FORWARD DROP
>     if [ -x "/etc/init.d/ip6tables" ] ; then
>         /etc/init.d/ip6tables save
>     fi
> fi
>
> # disable IPv6
> if [ -d "/proc/sys/net/ipv6/conf/all" ] ; then
>     /sbin/sysctl -w net.ipv6.conf.all.forwarding=0
>     /sbin/sysctl -w net.ipv6.conf.all.accept_ra=0
>     /sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0
>     /sbin/sysctl -w net.ipv6.conf.all.autoconf=0
>     /sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1
> fi
>
> Cheers,
>
> Hugo
>
> -----Original Message-----
> From: Chip Childers [mailto:chip.childers@sungard.com]
> Sent: Monday, July 30, 2012 4:06 PM
> To: <cl...@incubator.apache.org>
> Subject: Re: Disable IPv6 for systemvm
>
> The latest Xen Server install seems to have IPv6 disabled (just checked in my lab). Is it enabled in XCP?
>
> (I may be showing my Xen ignorance here)
>
> - chip
>
> On Jul 30, 2012, at 9:24 AM, Hugo Trippaers <HT...@schubergphilis.com> wrote:
>
>> Hey Chip,
>>
>> Yeah, I want help :-)
>>
>> I just committed the sysctl.conf changes for the systemvm. This morning i applied them to my test environment and they do the job.
>>
>> We could add the actual sysctl command to the vmops next to adding the IPv6 ip6tables statements I think.
>>
>> Cheers,
>>
>> Hugo
>>
>>
>> -----Original Message-----
>> From: Chip Childers [mailto:chip.childers@sungard.com]
>> Sent: Monday, July 30, 2012 3:13 PM
>> To: cloudstack-dev@incubator.apache.org
>> Subject: Re: Disable IPv6 for systemvm
>>
>> On Mon, Jul 30, 2012 at 7:32 AM, Hugo Trippaers <HT...@schubergphilis.com> wrote:
>>> By the way, we might want to add the same configuration to vmops for XenServer.
>>>
>>> Currently it is possible to have a tenant vm send a router advertisement on the isolated lan that is picked up by XenServer. Even though XenServer only has a bridge interface in the tenant lan that interface will be autoconfigured. A simple ping to the local all-node address (ff02::1) will tell you the mac off of the XenServer interface. As XenServer has ssh active on all interfaces you can directly connect to the ssh daemon on the XenServer. We only push a IPv4 firewall to the XenServer so the IPv6 firewall is default (ACCEPT everything).
>>>
>>> Still you only gain access to the ssh port, but that is something that should not be possible from a tenant lan.
>>>
>>> Cheers,
>>>
>>> Hugo
>>
>> As a provider, this one is even more concerning.  Unless someone has an objection, I'd agree with your solution.  We can remove a DENY rule in the future, after IPv6 support is added properly / completely.
>>
>> If you want help working up the fix for this, please let me know!
>>
>> -chip
>>
>

Re: Disable IPv6 for systemvm

Posted by John Kinsella <jl...@stratosec.co>.

Might want to tweak the "setup ip6tables" logic to check first to see if any rules were in place?

On Jul 30, 2012, at 7:44 AM, Hugo Trippaers wrote:

Hey Chip,

Interesting, which version are you using?

My box:
Linux XXXXXX 2.6.32.12-0.7.1.xs6.0.2.542.170665xen #1 SMP Tue Jan 17 15:14:24 EST 2012 i686 i686 i386 GNU/Linux
[root@XXXXX ~]# cat /etc/redhat-release
XenServer release 6.0.2-53456p (xenenterprise)
[root@XXXXX ~]# ls /proc/sys/net/ipv6/conf/all/autoconf
/proc/sys/net/ipv6/conf/all/autoconf
[root@XXXXX ~]# cat /proc/sys/net/ipv6/conf/all/autoconf
1

Btw I plan to add this to setupxenserver.sh:
# setup ip6tables
if [ -x "/sbin/ip6tables" ] ; then
   /sbin/ip6tables -P INPUT DROP
   /sbin/ip6tables -P OUTPUT DROP
   /sbin/ip6tables -P FORWARD DROP
   if [ -x "/etc/init.d/ip6tables" ] ; then
       /etc/init.d/ip6tables save
   fi
fi

# disable IPv6
if [ -d "/proc/sys/net/ipv6/conf/all" ] ; then
   /sbin/sysctl -w net.ipv6.conf.all.forwarding=0
   /sbin/sysctl -w net.ipv6.conf.all.accept_ra=0
   /sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0
   /sbin/sysctl -w net.ipv6.conf.all.autoconf=0
   /sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1
fi

Cheers,

Hugo

-----Original Message-----
From: Chip Childers [mailto:chip.childers@sungard.com]
Sent: Monday, July 30, 2012 4:06 PM
To: <cl...@incubator.apache.org>>
Subject: Re: Disable IPv6 for systemvm

The latest Xen Server install seems to have IPv6 disabled (just checked in my lab). Is it enabled in XCP?

(I may be showing my Xen ignorance here)

- chip

On Jul 30, 2012, at 9:24 AM, Hugo Trippaers <HT...@schubergphilis.com>> wrote:

Hey Chip,

Yeah, I want help :-)

I just committed the sysctl.conf changes for the systemvm. This morning i applied them to my test environment and they do the job.

We could add the actual sysctl command to the vmops next to adding the IPv6 ip6tables statements I think.

Cheers,

Hugo


-----Original Message-----
From: Chip Childers [mailto:chip.childers@sungard.com]
Sent: Monday, July 30, 2012 3:13 PM
To: cloudstack-dev@incubator.apache.org<ma...@incubator.apache.org>
Subject: Re: Disable IPv6 for systemvm

On Mon, Jul 30, 2012 at 7:32 AM, Hugo Trippaers <HT...@schubergphilis.com>> wrote:
By the way, we might want to add the same configuration to vmops for XenServer.

Currently it is possible to have a tenant vm send a router advertisement on the isolated lan that is picked up by XenServer. Even though XenServer only has a bridge interface in the tenant lan that interface will be autoconfigured. A simple ping to the local all-node address (ff02::1) will tell you the mac off of the XenServer interface. As XenServer has ssh active on all interfaces you can directly connect to the ssh daemon on the XenServer. We only push a IPv4 firewall to the XenServer so the IPv6 firewall is default (ACCEPT everything).

Still you only gain access to the ssh port, but that is something that should not be possible from a tenant lan.

Cheers,

Hugo

As a provider, this one is even more concerning.  Unless someone has an objection, I'd agree with your solution.  We can remove a DENY rule in the future, after IPv6 support is added properly / completely.

If you want help working up the fix for this, please let me know!

-chip



Stratosec<http://stratosec.co> - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>

RE: Disable IPv6 for systemvm

Posted by Hugo Trippaers <HT...@schubergphilis.com>.

Hey Chip,

Interesting, which version are you using?

My box:
Linux XXXXXX 2.6.32.12-0.7.1.xs6.0.2.542.170665xen #1 SMP Tue Jan 17 15:14:24 EST 2012 i686 i686 i386 GNU/Linux
[root@XXXXX ~]# cat /etc/redhat-release 
XenServer release 6.0.2-53456p (xenenterprise)
[root@XXXXX ~]# ls /proc/sys/net/ipv6/conf/all/autoconf 
/proc/sys/net/ipv6/conf/all/autoconf
[root@XXXXX ~]# cat /proc/sys/net/ipv6/conf/all/autoconf
1

Btw I plan to add this to setupxenserver.sh:
# setup ip6tables
if [ -x "/sbin/ip6tables" ] ; then
    /sbin/ip6tables -P INPUT DROP
    /sbin/ip6tables -P OUTPUT DROP
    /sbin/ip6tables -P FORWARD DROP
    if [ -x "/etc/init.d/ip6tables" ] ; then
        /etc/init.d/ip6tables save
    fi
fi

# disable IPv6
if [ -d "/proc/sys/net/ipv6/conf/all" ] ; then
    /sbin/sysctl -w net.ipv6.conf.all.forwarding=0
    /sbin/sysctl -w net.ipv6.conf.all.accept_ra=0
    /sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0
    /sbin/sysctl -w net.ipv6.conf.all.autoconf=0
    /sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1
fi

Cheers,

Hugo

-----Original Message-----
From: Chip Childers [mailto:chip.childers@sungard.com] 
Sent: Monday, July 30, 2012 4:06 PM
To: <cl...@incubator.apache.org>
Subject: Re: Disable IPv6 for systemvm

The latest Xen Server install seems to have IPv6 disabled (just checked in my lab). Is it enabled in XCP?

(I may be showing my Xen ignorance here)

- chip

On Jul 30, 2012, at 9:24 AM, Hugo Trippaers <HT...@schubergphilis.com> wrote:

> Hey Chip,
>
> Yeah, I want help :-)
>
> I just committed the sysctl.conf changes for the systemvm. This morning i applied them to my test environment and they do the job.
>
> We could add the actual sysctl command to the vmops next to adding the IPv6 ip6tables statements I think.
>
> Cheers,
>
> Hugo
>
>
> -----Original Message-----
> From: Chip Childers [mailto:chip.childers@sungard.com]
> Sent: Monday, July 30, 2012 3:13 PM
> To: cloudstack-dev@incubator.apache.org
> Subject: Re: Disable IPv6 for systemvm
>
> On Mon, Jul 30, 2012 at 7:32 AM, Hugo Trippaers <HT...@schubergphilis.com> wrote:
>> By the way, we might want to add the same configuration to vmops for XenServer.
>>
>> Currently it is possible to have a tenant vm send a router advertisement on the isolated lan that is picked up by XenServer. Even though XenServer only has a bridge interface in the tenant lan that interface will be autoconfigured. A simple ping to the local all-node address (ff02::1) will tell you the mac off of the XenServer interface. As XenServer has ssh active on all interfaces you can directly connect to the ssh daemon on the XenServer. We only push a IPv4 firewall to the XenServer so the IPv6 firewall is default (ACCEPT everything).
>>
>> Still you only gain access to the ssh port, but that is something that should not be possible from a tenant lan.
>>
>> Cheers,
>>
>> Hugo
>
> As a provider, this one is even more concerning.  Unless someone has an objection, I'd agree with your solution.  We can remove a DENY rule in the future, after IPv6 support is added properly / completely.
>
> If you want help working up the fix for this, please let me know!
>
> -chip
>

Re: Disable IPv6 for systemvm

Posted by Chip Childers <ch...@sungard.com>.

The latest Xen Server install seems to have IPv6 disabled (just
checked in my lab). Is it enabled in XCP?

(I may be showing my Xen ignorance here)

- chip

On Jul 30, 2012, at 9:24 AM, Hugo Trippaers
<HT...@schubergphilis.com> wrote:

> Hey Chip,
>
> Yeah, I want help :-)
>
> I just committed the sysctl.conf changes for the systemvm. This morning i applied them to my test environment and they do the job.
>
> We could add the actual sysctl command to the vmops next to adding the IPv6 ip6tables statements I think.
>
> Cheers,
>
> Hugo
>
>
> -----Original Message-----
> From: Chip Childers [mailto:chip.childers@sungard.com]
> Sent: Monday, July 30, 2012 3:13 PM
> To: cloudstack-dev@incubator.apache.org
> Subject: Re: Disable IPv6 for systemvm
>
> On Mon, Jul 30, 2012 at 7:32 AM, Hugo Trippaers <HT...@schubergphilis.com> wrote:
>> By the way, we might want to add the same configuration to vmops for XenServer.
>>
>> Currently it is possible to have a tenant vm send a router advertisement on the isolated lan that is picked up by XenServer. Even though XenServer only has a bridge interface in the tenant lan that interface will be autoconfigured. A simple ping to the local all-node address (ff02::1) will tell you the mac off of the XenServer interface. As XenServer has ssh active on all interfaces you can directly connect to the ssh daemon on the XenServer. We only push a IPv4 firewall to the XenServer so the IPv6 firewall is default (ACCEPT everything).
>>
>> Still you only gain access to the ssh port, but that is something that should not be possible from a tenant lan.
>>
>> Cheers,
>>
>> Hugo
>
> As a provider, this one is even more concerning.  Unless someone has an objection, I'd agree with your solution.  We can remove a DENY rule in the future, after IPv6 support is added properly / completely.
>
> If you want help working up the fix for this, please let me know!
>
> -chip
>

RE: Disable IPv6 for systemvm

Posted by Hugo Trippaers <HT...@schubergphilis.com>.

Hey Chip,

Yeah, I want help :-)

I just committed the sysctl.conf changes for the systemvm. This morning i applied them to my test environment and they do the job.

We could add the actual sysctl command to the vmops next to adding the IPv6 ip6tables statements I think.

Cheers,

Hugo

-----Original Message-----
From: Chip Childers [mailto:chip.childers@sungard.com] 
Sent: Monday, July 30, 2012 3:13 PM
To: cloudstack-dev@incubator.apache.org
Subject: Re: Disable IPv6 for systemvm

On Mon, Jul 30, 2012 at 7:32 AM, Hugo Trippaers <HT...@schubergphilis.com> wrote:
> By the way, we might want to add the same configuration to vmops for XenServer.
>
> Currently it is possible to have a tenant vm send a router advertisement on the isolated lan that is picked up by XenServer. Even though XenServer only has a bridge interface in the tenant lan that interface will be autoconfigured. A simple ping to the local all-node address (ff02::1) will tell you the mac off of the XenServer interface. As XenServer has ssh active on all interfaces you can directly connect to the ssh daemon on the XenServer. We only push a IPv4 firewall to the XenServer so the IPv6 firewall is default (ACCEPT everything).
>
> Still you only gain access to the ssh port, but that is something that should not be possible from a tenant lan.
>
> Cheers,
>
> Hugo

As a provider, this one is even more concerning.  Unless someone has an objection, I'd agree with your solution.  We can remove a DENY rule in the future, after IPv6 support is added properly / completely.

If you want help working up the fix for this, please let me know!

-chip

Re: Disable IPv6 for systemvm

Posted by Chip Childers <ch...@sungard.com>.

On Mon, Jul 30, 2012 at 7:32 AM, Hugo Trippaers
<HT...@schubergphilis.com> wrote:
> By the way, we might want to add the same configuration to vmops for XenServer.
>
> Currently it is possible to have a tenant vm send a router advertisement on the isolated lan that is picked up by XenServer. Even though XenServer only has a bridge interface in the tenant lan that interface will be autoconfigured. A simple ping to the local all-node address (ff02::1) will tell you the mac off of the XenServer interface. As XenServer has ssh active on all interfaces you can directly connect to the ssh daemon on the XenServer. We only push a IPv4 firewall to the XenServer so the IPv6 firewall is default (ACCEPT everything).
>
> Still you only gain access to the ssh port, but that is something that should not be possible from a tenant lan.
>
> Cheers,
>
> Hugo

As a provider, this one is even more concerning.  Unless someone has
an objection, I'd agree with your solution.  We can remove a DENY rule
in the future, after IPv6 support is added properly / completely.

If you want help working up the fix for this, please let me know!

-chip

RE: Disable IPv6 for systemvm

Posted by Hugo Trippaers <HT...@schubergphilis.com>.

By the way, we might want to add the same configuration to vmops for XenServer.

Currently it is possible to have a tenant vm send a router advertisement on the isolated lan that is picked up by XenServer. Even though XenServer only has a bridge interface in the tenant lan that interface will be autoconfigured. A simple ping to the local all-node address (ff02::1) will tell you the mac off of the XenServer interface. As XenServer has ssh active on all interfaces you can directly connect to the ssh daemon on the XenServer. We only push a IPv4 firewall to the XenServer so the IPv6 firewall is default (ACCEPT everything).  

Still you only gain access to the ssh port, but that is something that should not be possible from a tenant lan.

Cheers,

Hugo

-----Original Message-----
From: Hugo Trippaers [mailto:HTrippaers@schubergphilis.com] 
Sent: Monday, July 30, 2012 1:20 PM
To: cloudstack-dev@incubator.apache.org
Subject: Disable IPv6 for systemvm

Hey guys,

The current systemvm has IPv6 enabled including autoconfiguration. This means that if the machine is placed in an IPv6 enabled network (or somebody starts sending router advertisements) the VM's based on the system vm will autoconfigure the interface. This means a possible way to bypass the installed firewall as the IPv6 firewall is set to accept everything opposite to the IPv4 firewall which is restricted.

My proposal is to include the following in sysctl.conf (at least until we properly support IPv6):
# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.autoconf = 0

If no objections I would like to commit this change.

Cheers,

Hugo

Re: Disable IPv6 for systemvm

Posted by Chiradeep Vittal <Ch...@citrix.com>.

It may not be obvious but the default ebtables rules (when CSP is
installed) is to drop ipv6
        util.pread2(['ebtables', '-A', 'DEFAULT_EBTABLES', '-p', 'IPv6',
'-j', 'DROP'])

However, your change is a good idea as well.



On 7/30/12 4:20 AM, "Hugo Trippaers" <HT...@schubergphilis.com> wrote:

>Hey guys,
>
>The current systemvm has IPv6 enabled including autoconfiguration. This
>means that if the machine is placed in an IPv6 enabled network (or
>somebody starts sending router advertisements) the VM's based on the
>system vm will autoconfigure the interface. This means a possible way to
>bypass the installed firewall as the IPv6 firewall is set to accept
>everything opposite to the IPv4 firewall which is restricted.
>
>My proposal is to include the following in sysctl.conf (at least until we
>properly support IPv6):
># Disable IPv6
>net.ipv6.conf.all.disable_ipv6 = 1
>net.ipv6.conf.all.forwarding = 0
>net.ipv6.conf.all.accept_ra = 0
>net.ipv6.conf.all.accept_redirects = 0
>net.ipv6.conf.all.autoconf = 0
>
>If no objections I would like to commit this change.
>
>Cheers,
>
>Hugo