Comment 3 for bug 1502933
Revision history for this message
| xens (r-aviolat) wrote Re: ICMPv6 anti-spoofing rules are too permissive | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Salvatore,
In our setup we have a public, shared provider-network where all tenants can obtain public-IP resources, both v4 and v6 subnets are setup on top of that network. For IPv6, users on multiple tenants share the same subnet (/64).
Case #1; each tenant have their own security groups in my setup but they are on the same shared v6 subnet; yes they can impersonate another tenant's VM.
Case #2; a malicious user could also impersonate or perturb any others tenant's VMs it's ihmo more critical than Case #1 from a usability point-of-view.