On Thu, Jul 30, 2009 at 04:55:11PM +0100 Daniel P. Berrange wrote: > On Thu, Jul 30, 2009 at 05:50:30PM +0200, Jonas Eriksson wrote: > > On Thu, Jul 30, 2009 at 04:37:35PM +0100 Daniel P. Berrange wrote: > > > This is to address: > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=501934 > > > > > > which allows the guest to DOS the host IPv6 connectivity > > > > > > Daniel > > > > > > commit 763cf06ff76b4ded03a9b577cd8c541729190edc > > > Author: Daniel P. Berrange <berrange@xxxxxxxxxx> > > > Date: Thu Jul 30 16:34:56 2009 +0100 > > > > > > Disable IPv6 on virtual networks > > > > > > If the bridge device is configured to have IPv6 address and > > > accept router advertisments, then a malicious guest can send > > > out bogus advertisments and hijack/DOS host IPv6 connectivity > > > > > > * src/network_driver.c: Set accept_ra=0, disable_ipv6=1, autoconf=0 > > > for IPv6 sysctl on virual network bridge devices > > > > Nasty problem. However, why disable ipv6 as well? Disabling only > > ra and autoconf seems sufficient. There is probably some reason, > > but more people than me are undoubtly curios about this. > > The current virtuall network support is intended to be IPv4 only at > this time. We do have plans to fully support IPv6, at which point > this will become configurable, on or off. So until that time its > safer to explicitly turn it off Thanks and ACK. /Jonas -- Jonas Eriksson Consultant at AS/EAB/FLJ/IL Combitech AB Älvsjö, Sweden -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list