Re: [libvirt] PATCH: Disable IPv6 on virtual network bridges

["Daniel P. Berrange" <berrange redhat com>]

On Thu, Jul 30, 2009 at 04:55:11PM +0100, Daniel P. Berrange wrote:
> On Thu, Jul 30, 2009 at 05:50:30PM +0200, Jonas Eriksson wrote:
> > On Thu, Jul 30, 2009 at 04:37:35PM +0100 Daniel P. Berrange wrote:
> > > This is to address:
> > > 
> > >   https://bugzilla.redhat.com/show_bug.cgi?id=501934
> > > 
> > > which allows the guest to DOS the host IPv6 connectivity
> > > 
> > > Daniel
> > > 
> > > commit 763cf06ff76b4ded03a9b577cd8c541729190edc
> > > Author: Daniel P. Berrange <berrange redhat com>
> > > Date:   Thu Jul 30 16:34:56 2009 +0100
> > > 
> > >     Disable IPv6 on virtual networks
> > >     
> > >     If the bridge device is configured to have IPv6 address and
> > >     accept router advertisments, then a malicious guest can send
> > >     out bogus advertisments and hijack/DOS host IPv6 connectivity
> > >     
> > >     * src/network_driver.c: Set accept_ra=0, disable_ipv6=1, autoconf=0
> > >       for IPv6 sysctl on virual network bridge devices
> > 
> > Nasty problem. However, why disable ipv6 as well? Disabling only
> > ra and autoconf seems sufficient. There is probably some reason,
> > but more people than me are undoubtly curios about this.
> 
> The current virtuall network support is intended to be IPv4 only at 
> this time.  We do have plans to fully support IPv6, at which point
> this will become configurable, on or off. So until that time its
> safer to explicitly turn it off

FYI, the info about supporting IPv6 properly is here

http://www.redhat.com/archives/libvir-list/2009-June/msg00067.html
https://bugzilla.redhat.com/show_bug.cgi?id=514749

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|