Comment 20 for bug 1302080

Ok, so setting default/disable_ipv6=1 is *not* a viable solution, not even on the compute nodes. The reason: neutron-linuxbridge-agent will (just like neutron-l3-agent) end up believing that IPv6 is completely disabled on the system, and skip applying the IPv6 security group when plumbing an instance. The instance thus ends up being completely wide open from the global IPv6 Internet. Not good.

Setting default/accept_ra=0 seems like a better solution, as this will at the very least stop the services running directly on the compute node from being globally reachable. However it will not prevent the Linux kernel from auto-configuring a link-local address on the bridge device, which in turn is directly reachable from the instances without any kind of firewalling. This bug is in other words *NOT* fixed in Mitaka, as far as I can tell.