#opnfv-meeting log

15:06:26 <bryan_att> #startmeeting IPv6 Project Meeting #12
15:06:26 <collabot> Meeting started Fri Apr 10 15:06:26 2015 UTC.  The chair is bryan_att. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:06:26 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:06:26 <collabot> The meeting name has been set to 'ipv6_project_meeting__12'
15:06:40 <bryan_att> #topic Gap analysis by Jonne
15:08:03 <bryan_att> #info IETF has done some work on router advertising
15:08:54 <bryan_att> #info RFC 6583 is implementation guidelines rather than features
15:09:16 <bryan_att> #info There are a few IPv6 related blueprints in the OpenStack pipeline
15:10:17 <bryan_att> #info topics Jonne is addressing are in the email
15:10:21 <bryan_att> #link http://lists.opnfv.org/pipermail/opnfv-tech-discuss/2015-April/002136.html
15:11:17 <bryan_att> #info All these blueprints are new and all from the same contributor
15:12:13 <iben_> question: are these security fixes and bugs related ONLY to IPv6?
15:12:22 <bryan_att> #info Whether there is a gap is unclear - the blueprints e.g. reference neighbory discovery protection and snooping but it's unclear what is intended
15:12:22 <iben_> or do they also effect IPv4?
15:13:36 <bryan_att> #link https://blueprints.launchpad.net/neutron/+spec/security-group-ipv6-ra-guard
15:13:57 <bryan_att> #info Bin: have these 2 BPs met the need?
15:16:38 <bryan_att> #info Sridhar: these are the BPs referenced in the wiki
15:16:40 <bryan_att> #link https://wiki.opnfv.org/ipv6_opnfv_project/topdown_usecase
15:17:26 <bryan_att> #info ... have submitted a patch for a default rule preventing VMs from accessing IPv6 RA, e.g. to avoid a fake router attack
15:18:24 <bryan_att> #info ... the 2nd is a more low-level security rule patch which did not make it to Kilo
15:18:44 <bryan_att> #info ... one more is in Kilo but not enabled for IPv6
15:19:09 <bryan_att> #info Jonne: the RA guard issue may be addressed for now, so the 1st line of the BP is addressed
15:19:50 <bryan_att> #info ... the fix has 2 parts; ML2 plugin patch, and a tab/switch in openstack which controls the feature
15:20:40 <bryan_att> #info Sridhar: we will need to configure ports to disable the security in Horizon; if you want to run a real router the default security will have to be disabled
15:22:57 <bryan_att> #info Jonne: re enabler discovery inspection, when discovery is initiated from the right nodes they have identifying information; in OVS a trigger could ensure that discovery messages are properly formatted, e.g. have identifying info which is correct for the source of the message
15:23:18 <bryan_att> #info ... this is similar to ARP spoofing protection
15:24:20 <bryan_att> #info Sridhar: if we can protect the ports for discovery, this helps avoid duplicate addresses also
15:24:52 <bryan_att> #info ... ARP is different as a protocol but they are similar enough that a common fix will work for both
15:25:42 <bryan_att> #info Srishar: in Neutron to do this we could use security groups, or IP tables (?)
15:27:38 <bryan_att> #info ... the other is to use OpenVSwitch to filter invalid requests; a patch to implement protection is in the works but only addresses IPv4 yet
15:28:07 <bryan_att> #info ... we need this to work beyond OpenVSwitch though; security group approach will work everywhere
15:28:49 <bryan_att> #info Jonne: this can't just be a static filter; to really do this "inspection" you must do it in OpenVSwitch as the security rules are static
15:30:02 <bryan_att> #info Sridhar: the rules do need to be dynamic in nature; neutron automatically adds group rules using IP tables; we can extend this feature to solve this goal also
15:30:57 <bryan_att> #info Jonne: this is the same logic and works well for IPv4. But in IPv6 multiple addresses/prefixes can be assigned, or privacy addresses (random 64-bits in some fields)
15:31:44 <bryan_att> #info ... this is widely implemented; static rules might restrict IPv6 support given this dynamic nature of IPv6 addresses
15:32:10 <bryan_att> #info Sridhar: we don't support privacy extensions in Neutron yey
15:32:31 <bryan_att> #info Jonne: does Neutron support 2 different addresses on the same port?
15:33:03 <bryan_att> #info Sridhar: there is a related feature but need to look closer; it implements support for router ports
15:33:40 <bryan_att> #info ... the BP is approved for Kilo; multiple addresses per port is merged recently'
15:34:39 <bryan_att> #info ... a port is associated only with a single subnet which has a prefix; multiple interfaces with own prefix are required
15:35:08 <bryan_att> #info Jonne: these are virtual interfaces so you can arrange it, but that is not addressing what IPv6 intends
15:36:17 <bryan_att> #info ... address allocation by routers will include various type of prefixes; the risk is w/o multiple prefixes per link, there is a disincentive for NAT; that is not intended by IPv6
15:37:07 <bryan_att> #info Sridhar: for address prefixes that are not exposed to the WAN; is that common or would two different routers serve the different address types?
15:37:24 <bryan_att> #info Jonne: it should not be uncommon that the same router serves multiple addresses
15:38:19 <bryan_att> #info ... in a large net with multiple layers, the last router serves one address up and multiple down; internal addresses are filtered at the border
15:38:55 <bryan_att> #info ... starting w/o internet connectivity, local addresses are used for internal communication and then mapped to a global address
15:39:16 <bryan_att> #info ... you can also assign local addresses that are not exposed outside for security
15:39:39 <bryan_att> #info ... servers might have local addresses, and clients both local and global addresses
15:40:24 <bryan_att> #info Sridhar: similar to local subnets e.g. 192, what is the role of ULA for that?
15:41:11 <bryan_att> #info Jonne: the idea is not that the end-host gets local addresses and communicates thru a NAT; the goal is a computationally unique address used for internal use, and a global address for external communication
15:41:45 <bryan_att> #info ... selection rules helps the client use the correct address type for the communication based upon the address of the target
15:42:12 <bryan_att> #info ... source address selection rules in the host determine which address will be used, from the multiple that the host has
15:42:32 <bryan_att> #info ... an RFC defines these rules (link anyone?)
15:43:12 <bryan_att> #info Sridhar: makes sense, so the client can choose; afaik we don't support that so far in Neutron
15:44:13 <bryan_att> #info Bin: so for IPv6 security groups, it depends upon the port security extension targeted for Liberty; beyond Liberty, are there any other gaps we should address e.g. via a new BP?
15:44:47 <bryan_att> #info Jonne: that should be enough for 1st hop security
15:45:09 <bryan_att> #info Sridhar: agree; once this new patch is merged, we can extend it to new needs
15:46:00 <bryan_att> #info Bin: we will need those patches for the PoC Mark is working on so a VM can be a router
15:46:43 <bryan_att> #info Sridhar: a patch disabling anti-spoofing rules was put into Juno; but for Kilo we can use the patch that was just merged
15:46:56 <bryan_att> #info Bin: Mark, have you had the chance to verify the patch?
15:47:18 <bryan_att> #info Mark: not yet, time is needed to test; will do so asap
15:48:23 <bryan_att> #info Bin: when Mark has verified that, Sridhar can update the patch for the security rules that we want for the Kilo release
15:48:49 <bryan_att> #info Sridhar: recommends we use the port security rules patch that is already in Kilo
15:49:37 <bryan_att> #info ... I can make the feature a configurable parameter in horizon; the patch just disables the rules; but we need to make sure we note that the patch should not be approved upstream, is just for testing
15:49:52 <bryan_att> #info Bin: so this can be an OPNFV-specific extension for Juno
15:50:21 <bryan_att> #info ... for Kilo we can use the port security exension
15:50:41 <bryan_att> #info ... maybe in 2 weeks we can have testing of this for the PoC
15:51:24 <bryan_att> #info ... in addition to verifying the patch, updating the diagram for the PoC to reflect what we need to do without the patch
15:51:45 <bryan_att> #info ... Iben, any update on lab IPv6 connection?
15:52:16 <bryan_att> #info Iben: working on the documentation project for R1 - no time this week
15:52:56 <bryan_att> #topic Jira use
15:53:18 <bryan_att> #info Bin: projects are using Jira; I will put action items into Jira
15:54:01 <bryan_att> #info ... we should also put documentation into git/gerrit as a starting point, as soon as time is available for that
15:54:27 <bryan_att> #info ... proposals are being discussed on the list; we should try to migrate to that when possible
15:54:43 <bryan_att> #topic Call Frequency
15:54:54 <bryan_att> #info Bin: should we maintain weekly calls?
15:55:20 <bryan_att> #info Iben: discussion is leaning toward every 2 weeks
15:55:39 <bryan_att> #info (general agreement)
15:56:08 <bryan_att> #info Bin: starting from next week we can convert to a meeting every two weeks
15:56:36 <bryan_att> #info ... the audio meetings do help clarify a lot in a short time; so we will continue them
15:56:52 <bryan_att> #info ... we can add additional meetings as needed
15:57:02 <bryan_att> #endmeeting