This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?
From: Felix Kuperjans <felix@xxxxxxxxxxxxxxxxxx>
Date: Tue, 07 Dec 2010 01:06:44 +0100
Delivery-date: Mon, 06 Dec 2010 16:08:13 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <p0624085ac9231d5b0bc0@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <AANLkTikJsOP7_679y1aReZCMWcGpmCgmr8x4wgg09Zz8@xxxxxxxxxxxxxx> <4CFD1220.1090205@xxxxxxxxxxx> <p0624085ac9231d5b0bc0@xxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20101105 Thunderbird/3.1.6
Well arptables is officially deprecated anyway. I don't know whether its
successor, ebtables, supports filtering of the content of NDP messages,
but you can filter NDP messages themselves with iptables just as any
other icmpv6 message - for example, denying them at all. Or you add
static neighbor entries, which cannot be overwritten by neighbor
In addition, the neighbor proxy serves as a replacement for the arp
proxy in routed scenarios.
A good point to start is using static ARP + neighbor entries for all
domUs and the gateway at eth0. This will effectively prohibit most
working ARP / NDP attacks.

What I'm personally missing is NAT. I know it has been dropped for good
reasons, but NAT has some cool advantages like hiding a webserver domU
and a mailserver domU behind a single IP address - which will obfuscate
your virtual server structure.

We use an own private internal network within our server, which is dual
stack with IPv4 + IPv6, using a routed setup with static ARP + neighbor
entries, but however, I do not yet route external IPv6 addresses to the
domUs (not for an explicit reason, rather because of too less time /
interest). I think XEN as a software is ready for IPv6, although the
default vif-scripts do not really do much about that. But bridges and
routing works finde with both of them, it's just a question of the setup.

Am 07.12.2010 00:11, schrieb Simon Hobson:
> Jonathan Tripathy wrote:
>> A problem with using IPv6 at the minute is that netfilter doesn't
>> have as-advanced filtering capabilities as it does with IPv4. This is
>> important when your DomUs are for customers on an unmanaged basis.
>> The main issue is that IPv6 doesn't use ARP anymore, so all MAC
>> address detection is done in the IP layer and AFAIK, netfilter
>> doesn't have the proper filtering for IPv6 to prevent MAC spoofing.
>> What we really need is an IPv6 equivalent to arptables.
> Since you clearly know quite a bit more than I do about IPv6 - can you
> recommend a good guide/primer for getting going ? At the moment I know
> a little bit - but mostly what I know is that it's quite a bit
> different from IPv4 and it's not a case of "the same but more bits".
> It's really about time I started looking at this for work.

Xen-users mailing list