[libvirt] PATCH: Disable IPv6 on virtual network bridges
Jonas Eriksson
jonas.j.eriksson at ericsson.com
Thu Jul 30 15:57:25 UTC 2009
On Thu, Jul 30, 2009 at 04:55:11PM +0100 Daniel P. Berrange wrote:
> On Thu, Jul 30, 2009 at 05:50:30PM +0200, Jonas Eriksson wrote:
> > On Thu, Jul 30, 2009 at 04:37:35PM +0100 Daniel P. Berrange wrote:
> > > This is to address:
> > >
> > > https://bugzilla.redhat.com/show_bug.cgi?id=501934
> > >
> > > which allows the guest to DOS the host IPv6 connectivity
> > >
> > > Daniel
> > >
> > > commit 763cf06ff76b4ded03a9b577cd8c541729190edc
> > > Author: Daniel P. Berrange <berrange at redhat.com>
> > > Date: Thu Jul 30 16:34:56 2009 +0100
> > >
> > > Disable IPv6 on virtual networks
> > >
> > > If the bridge device is configured to have IPv6 address and
> > > accept router advertisments, then a malicious guest can send
> > > out bogus advertisments and hijack/DOS host IPv6 connectivity
> > >
> > > * src/network_driver.c: Set accept_ra=0, disable_ipv6=1, autoconf=0
> > > for IPv6 sysctl on virual network bridge devices
> >
> > Nasty problem. However, why disable ipv6 as well? Disabling only
> > ra and autoconf seems sufficient. There is probably some reason,
> > but more people than me are undoubtly curios about this.
>
> The current virtuall network support is intended to be IPv4 only at
> this time. We do have plans to fully support IPv6, at which point
> this will become configurable, on or off. So until that time its
> safer to explicitly turn it off
Thanks and ACK.
/Jonas
--
Jonas Eriksson
Consultant at AS/EAB/FLJ/IL
Combitech AB
Älvsjö, Sweden
More information about the libvir-list
mailing list