© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Right, so the case you would need is:
1. neighbour discovery works
- libvirt enables hairpinning of traffic which breaks ND, so it's safe in versions to Havana. This is being fixed now, so we need to ensure that RA receipt is blocked in Icehouse
2. an RA can be sent and received - same icmpv6 blocks
- icmpv6 filtering blocks RA packets so icmpv6 filering must be enabled, which implies that we're safe if ipv6 is on for the cloud
So in the case that you are /not/ using libvirt and you have /disabled/ ipv6, and cloud image in stock form will do ND correctly and receive the RA packet, and will then pass ipv6 traffic to the spoofing host. Also, if you're sharing a network with untrusted machines then accepting RAs is risky.
The underlying issue here is our policy on port filters. For traffic types we don't know about, we *pass* them. So, if we know about ipv6 we implement sensible security - but if we don't know about it (e.g. ipv6 off) then we pass all traffic.