Re: [libvirt] PATCH: Disable IPv6 on virtual network bridges
On Thu, Jul 30, 2009 at 04:37:35PM +0100 Daniel P. Berrange wrote:
This is to address:
https://bugzilla.redhat.com/show_bug.cgi?id=501934
which allows the guest to DOS the host IPv6 connectivity
Daniel
commit 763cf06ff76b4ded03a9b577cd8c541729190edc
Author: Daniel P. Berrange <berrange(a)redhat.com>
Date: Thu Jul 30 16:34:56 2009 +0100
Disable IPv6 on virtual networks
If the bridge device is configured to have IPv6 address and
accept router advertisments, then a malicious guest can send
out bogus advertisments and hijack/DOS host IPv6 connectivity
* src/network_driver.c: Set accept_ra=0, disable_ipv6=1, autoconf=0
for IPv6 sysctl on virual network bridge devices
Nasty problem. However, why disable ipv6 as well? Disabling only
ra and autoconf seems sufficient. There is probably some reason,
but more people than me are undoubtly curios about this.
/Jonas
--
Jonas Eriksson
Consultant at AS/EAB/FLJ/IL
Combitech AB
Älvsjö, Sweden