Re: [libvirt] PATCH: Disable IPv6 on virtual network bridges

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jul 30, 2009 at 05:50:30PM +0200, Jonas Eriksson wrote:
> On Thu, Jul 30, 2009 at 04:37:35PM +0100 Daniel P. Berrange wrote:
> > This is to address:
> > 
> >   https://bugzilla.redhat.com/show_bug.cgi?id=501934
> > 
> > which allows the guest to DOS the host IPv6 connectivity
> > 
> > Daniel
> > 
> > commit 763cf06ff76b4ded03a9b577cd8c541729190edc
> > Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
> > Date:   Thu Jul 30 16:34:56 2009 +0100
> > 
> >     Disable IPv6 on virtual networks
> >     
> >     If the bridge device is configured to have IPv6 address and
> >     accept router advertisments, then a malicious guest can send
> >     out bogus advertisments and hijack/DOS host IPv6 connectivity
> >     
> >     * src/network_driver.c: Set accept_ra=0, disable_ipv6=1, autoconf=0
> >       for IPv6 sysctl on virual network bridge devices
> 
> Nasty problem. However, why disable ipv6 as well? Disabling only
> ra and autoconf seems sufficient. There is probably some reason,
> but more people than me are undoubtly curios about this.

The current virtuall network support is intended to be IPv4 only at 
this time.  We do have plans to fully support IPv6, at which point
this will become configurable, on or off. So until that time its
safer to explicitly turn it off

Regards,
Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]