Is this bug really fixed? Running Mitaka, it seems not. Using linuxbridges in combination with vxlan, only the vxlan interface gets disable_ipv6=1 set, not the bridge one.
This is from the compute node when booting up an instance (first one on that particular network, so all the interfaces must be provisioned):
As you can see, disable_ipv6 gets set on the vxlan interface, but not the bridge (nor the tap interface for that matter).
And lo and behold, the bridge interface has acquired an global ipv6 address (because there's a neutron router/L3 agent attached to the network with ipv6-address-mode=slaac+ipv6-ra-mode=slaac):
# ip address list dev brq3cd6a5c8-ec
18: brq3cd6a5c8-ec: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 8950 qdisc noqueue state UP
link/ether b6:e4:c1:aa:90:70 brd ff:ff:ff:ff:ff:ff
inet6 2001:db8:123:456:b4e4:c1ff:feaa:9070/64 scope global mngtmpaddr dynamic
valid_lft 86365sec preferred_lft 14365sec
inet6 fe80::50b2:4bff:fe32:2a3c/64 scope link
valid_lft forever preferred_lft forever
Furthermore, I'd like to stress that this IPv6 address is *GLOBALLY REACHABLE*! Yes, that means that anyone anywhere on the IPv6 Internet (including the instances themselves) can initiate, e.g., SSH connections *directly* to the compute node - even if it's behind a firewall or are using only private RFC1918 addresses or whatever. These packets will look just like normal VXLAN packets coming from the L3 agent, so they'll bypass any normal network-level protection.
One workaround is to set /proc/sys/net/ipv6/conf/default/disable_ipv6=1. That causes the kernel to ensure that all the relevant devices (vxlan, bridge, tap) gets created with IPv6 disabled by default. However, if you do want IPv6 on other unrelated interfaces (e.g., for management of the compute node itself or to carry vxlan traffic) this could be problematic if the sysctl gets set before those interfaces are plumbed into the kernel. So be careful...
Is this bug really fixed? Running Mitaka, it seems not. Using linuxbridges in combination with vxlan, only the vxlan interface gets disable_ipv6=1 set, not the bridge one.
This is from the compute node when booting up an instance (first one on that particular network, so all the interfaces must be provisioned):
# egrep 'brq3cd6a5c8- ec|disable_ ipv6' linuxbridge- agent.log agent.linux. utils [req-1926075e- 555e-4363- ab24-4c93d0b5c9 89 - - - - -] Running command (rootwrap daemon): ['sysctl', '-w', 'net.ipv6. conf.vxlan- 65601.disable_ ipv6=1' ] execute_ rootwrap_ daemon /usr/lib/ python2. 7/site- packages/ neutron/ agent/linux/ utils.py: 100 agent.linux. utils [req-1926075e- 555e-4363- ab24-4c93d0b5c9 89 - - - - -] Running command (rootwrap daemon): ['ip', 'link', 'set', 'brq3cd6a5c8-ec', 'up'] execute_ rootwrap_ daemon /usr/lib/ python2. 7/site- packages/ neutron/ agent/linux/ utils.py: 100 agent.linux. utils [req-1926075e- 555e-4363- ab24-4c93d0b5c9 89 - - - - -] Running command (rootwrap daemon): ['brctl', 'addif', 'brq3cd6a5c8-ec', 'vxlan-65601'] execute_ rootwrap_ daemon /usr/lib/ python2. 7/site- packages/ neutron/ agent/linux/ utils.py: 100 plugins. ml2.drivers. linuxbridge. agent.linuxbrid ge_neutron_ agent [req-1926075e- 555e-4363- ab24-4c93d0b5c9 89 - - - - -] Skip adding device tap323ae2d2-4b to brq3cd6a5c8-ec. It is owned by compute:None and thus added elsewhere. _add_tap_interface /usr/lib/ python2. 7/site- packages/ neutron/ plugins/ ml2/drivers/ linuxbridge/ agent/linuxbrid ge_neutron_ agent.py: 472
2016-04-18 13:08:41.701 5916 DEBUG neutron.
2016-04-18 13:08:41.710 5916 DEBUG neutron.
2016-04-18 13:08:41.714 5916 DEBUG neutron.
2016-04-18 13:08:41.729 5916 DEBUG neutron.
As you can see, disable_ipv6 gets set on the vxlan interface, but not the bridge (nor the tap interface for that matter).
And lo and behold, the bridge interface has acquired an global ipv6 address (because there's a neutron router/L3 agent attached to the network with ipv6-address- mode=slaac+ ipv6-ra- mode=slaac) :
# ip address list dev brq3cd6a5c8-ec MULTICAST, UP,LOWER_ UP> mtu 8950 qdisc noqueue state UP 123:456: b4e4:c1ff: feaa:9070/ 64 scope global mngtmpaddr dynamic 4bff:fe32: 2a3c/64 scope link
18: brq3cd6a5c8-ec: <BROADCAST,
link/ether b6:e4:c1:aa:90:70 brd ff:ff:ff:ff:ff:ff
inet6 2001:db8:
valid_lft 86365sec preferred_lft 14365sec
inet6 fe80::50b2:
valid_lft forever preferred_lft forever
Furthermore, I'd like to stress that this IPv6 address is *GLOBALLY REACHABLE*! Yes, that means that anyone anywhere on the IPv6 Internet (including the instances themselves) can initiate, e.g., SSH connections *directly* to the compute node - even if it's behind a firewall or are using only private RFC1918 addresses or whatever. These packets will look just like normal VXLAN packets coming from the L3 agent, so they'll bypass any normal network-level protection.
One workaround is to set /proc/sys/ net/ipv6/ conf/default/ disable_ ipv6=1. That causes the kernel to ensure that all the relevant devices (vxlan, bridge, tap) gets created with IPv6 disabled by default. However, if you do want IPv6 on other unrelated interfaces (e.g., for management of the compute node itself or to carry vxlan traffic) this could be problematic if the sysctl gets set before those interfaces are plumbed into the kernel. So be careful...
I'm running openstack- neutron- linuxbridge- 8.0.0-1. el7.noarch FWIW.