[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 4/5] hotplug/linux: Add IPv6 support to the iptables logic

On 2014-05-16 21:33, Sylvain Munaut wrote:
>> I think it would be a good idea to allow autoconfigured IPv6 addresses.
>> These have the lower 64-bit of the address set to a value based on the
>> interface MAC address (EUI-64), which is known in the vif script.
>> Unfortunately it is not easy to compute that suffix in a shell script.
>> In my setup I use a helper Python script, but guess this might not be
>> the perfect solution for the standard scripts.
> The issue is how do you get the prefix ?

The prefix doesn't really matter if the goal is to prevent spoofing
other hosts' addresses. And ip6tables allows to match the lower half of
an IPv6 address: '-d ::1111:2222:3333:4444/::ffff:ffff:ffff:ffff'

This itself won't prevent spoofing the network part (and some policies
in the network may rely of the network part of addresses), but this hole
can be sealed with a single ip6tables added, with no need of Xen hotplug
scripts cooperation. I don't know if that is acceptable.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.