Bug 1469746 - [Docs][Director] Document how to entirely disable IPv6 [NEEDINFO]
[Docs][Director] Document how to entirely disable IPv6
Status: NEW
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation (Show other bugs)
11.0 (Ocata)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: RHOS Documentation Team
RHOS Documentation Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-11 14:38 EDT by Dan Sneddon
Modified: 2018-05-07 22:03 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
gkadam: needinfo? (rhos-docs)


Attachments (Terms of Use)

  None (edit)
Description Dan Sneddon 2017-07-11 14:38:30 EDT
Description of problem:
RHEL automatically enables IPv6 autoconfiguration and will accept RAs by default on all interfaces, even those that are not configured for IPv6. We should document how to disable IPv6 entirely for security hardening.

Version-Release number of selected component (if applicable):
All versions


Steps to Reproduce:
1. Configure Director network templates, with no IPv6 configuration
2. Deploy
3.

Actual results:
IPv6 autoconfiguration is enabled

Expected results:
IPv6 should not be enabled in environments where it is unused or disabled by policy.

Additional info:
In order to correctly turn off all IPv6 communication, the following sysctl settings should be set:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.default.autoconf = 0

For additional security, RAs may be disabled, this will ensure that routes cannot be hijacked if an IPv6 interface is enabled in the future:

net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0

This can be done through Director by customizing the composable services file that configures kernel parameters, with is located in openstack-tripleo-heat-templates/puppet/services/kernel.yaml. The following content should be added to the file alongside other kernel parameters:

        sysctl_settings:
          net.ipv6.conf.all.disable_ipv6:
            value: 1
          net.ipv6.conf.default.disable_ipv6:
            value: 1
          net.ipv6.conf.all.autoconf:
            value: 0
          net.ipv6.conf.default.autoconf:
            value: 0
          net.ipv6.conf.all.accept_ra:
            value: 0
          net.ipv6.conf.default.accept_ra:
            value: 0

This should be added to the documentation alongside the descriptions of configuring IPv6, with a link to the instructions to disable IPv6 in the section that described IPv4 configuration.

Note You need to log in before you can comment on or make changes to this bug.