Comment 23 for bug 1502933

I would love to see this backported to Liberty and Kilo. Other than the security issues, it creates a dataplane/usability issue for guest OSes that use RFC 4941 privacy addresses by default, such as Windows.

The bug has the following effect: Normally, IPv6 privacy addresses should not work, because they cannot be known to Nova/Neutron, and thus they should be caught by the anti-spoofing filters.

But because of the bug, the anti-spoofing filters let all ICMPv6 through. So for example, on an instance running standard Windows 2012 Server, "ping6 ipv6.google.com" will work, but one cannot surf to http://ipv6.google.com. The built-in Windows network check will misdiagnose this as "server is online but refuses to respond to HTTP connections".

Of course it is true that OSes that use privacy addresses by default aren't suitable for out-of-the-box use under OpenStack with IPv6—privacy addresses must be disabled to get usable IPv6 connectivity. But legacy images exist, and because of the special ICMP behavior, it is hard to find the cause of the problem.