ipv6: Do not allow Secondary IPv6 addresses to be EUI-64 (apache#3136)

wido · GabrielBrascher · commit f967944d9008 · 2019-01-21T09:20:27.000-02:00
* netutils: Add method to verify if IPv6 Address is EUI-64

By checking if ff:fe is present in the address we can see if an IPv6 Address
is EUI-64 or not.

Signed-off-by: Wido den Hollander &lt;wido@widodh.nl&gt;

* ipv6: Do not allow a Secondary IPv6 address to be EUI-64

EUI-64 addresses should not be allowed as they can be used in the future by a to be
deployed Instance which has to obtain this address because it matches it's MAC.

In a /64 subnet there are more then enough other IPs available to be allocated to
Instances, therefor we can safely disallow the allocation of EUI-64 addresses.

Signed-off-by: Wido den Hollander &lt;wido@widodh.nl&gt;
diff --git a/server/src/main/java/com/cloud/network/Ipv6AddressManagerImpl.java b/server/src/main/java/com/cloud/network/Ipv6AddressManagerImpl.java
@@ -104,6 +104,11 @@ public String acquireGuestIpv6Address(Network network, String requestedIpv6) thr
                     network.getDataCenterId());
         }
 
+        if (NetUtils.isIPv6EUI64(requestedIpv6)) {
+            throw new InsufficientAddressCapacityException(String.format("Requested IPv6 address [%s] may not be a EUI-64 address", requestedIpv6), DataCenter.class,
+                    network.getDataCenterId());
+        }
+
         checkIfCanAllocateIpv6Address(network, requestedIpv6);
 
         IpAddresses requestedIpPair = new IpAddresses(null, requestedIpv6);
diff --git a/server/src/test/java/com/cloud/network/Ipv6AddressManagerTest.java b/server/src/test/java/com/cloud/network/Ipv6AddressManagerTest.java
@@ -248,4 +248,11 @@ public void setNICIPv6AddressTest() {
 
         Assert.assertEquals(expected, nic.getIPv6Address());
     }
+
+    @Test(expected = InsufficientAddressCapacityException.class)
+    public void acquireGuestIpv6AddressEUI64Test() throws InsufficientAddressCapacityException {
+        setAcquireGuestIpv6AddressTest(true, State.Free);
+        String requestedIpv6 = setCheckIfCanAllocateIpv6AddresscTest("2001:db8:13f::1c00:4aff:fe00:fe", false, false);
+        ip6Manager.acquireGuestIpv6Address(network, requestedIpv6);
+    }
 }
diff --git a/utils/src/main/java/com/cloud/utils/net/NetUtils.java b/utils/src/main/java/com/cloud/utils/net/NetUtils.java
@@ -88,6 +88,10 @@ public class NetUtils {
     private final static Random s_rand = new Random(System.currentTimeMillis());
     private final static long prefix = 0x1e;
 
+    // RFC4291 IPv6 EUI-64
+    public final static int IPV6_EUI64_11TH_BYTE = -1;
+    public final static int IPV6_EUI64_12TH_BYTE = -2;
+
     public static long createSequenceBasedMacAddress(final long macAddress, long globalConfig) {
         /*
             Logic for generating MAC address:
@@ -1582,6 +1586,29 @@ public static IPv6Address ipv6LinkLocal(final String macAddress) {
         return EUI64Address(IPv6Network.LINK_LOCAL_NETWORK, macAddress);
     }
 
+    /**
+     * When using StateLess Address AutoConfiguration (SLAAC) for IPv6 the addresses
+     * choosen by hosts in a network are based on the 48-bit MAC address and this is expanded to 64-bits
+     * with EUI-64
+     * FFFE is inserted into the address and these can be identified
+     *
+     * By converting the IPv6 Address to a byte array we can check the 11th and 12th byte to see if the
+     * address is EUI064.
+     *
+     * See RFC4291 for more information
+     *
+     * @param address IPv6Address to be checked
+     * @return True if Address is EUI-64 IPv6
+     */
+    public static boolean isIPv6EUI64(final IPv6Address address) {
+        byte[] bytes = address.toByteArray();
+        return (bytes[11] == IPV6_EUI64_11TH_BYTE && bytes[12] == IPV6_EUI64_12TH_BYTE);
+    }
+
+    public static boolean isIPv6EUI64(final String address) {
+        return NetUtils.isIPv6EUI64(IPv6Address.fromString(address));
+    }
+
     /**
      * Returns true if the given IP address is IPv4 or false if it is an IPv6. If it is an invalid IP address it throws an exception.
      */
diff --git a/utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java b/utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java
@@ -701,4 +701,12 @@ public void testAllIpsOfDefaultNic() {
             assertTrue(NetUtils.getAllDefaultNicIps().stream().anyMatch(defaultHostIp::contains));
         }
     }
+
+    @Test
+    public void testIsIPv6EUI64() {
+        assertTrue(NetUtils.isIPv6EUI64("fe80::5054:8fff:fe9f:af61"));
+        assertTrue(NetUtils.isIPv6EUI64("2a00:f10:305:0:464:64ff:fe00:4e0"));
+        assertFalse(NetUtils.isIPv6EUI64("2001:db8::100:1"));
+        assertFalse(NetUtils.isIPv6EUI64("2a01:4f9:2a:185f::2"));
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -248,4 +248,11 @@ public void setNICIPv6AddressTest() {`
`248`	`248`
`249`	`249`	`Assert.assertEquals(expected, nic.getIPv6Address());`
`250`	`250`	`}`
	`251`	`+`
	`252`	`+ @Test(expected = InsufficientAddressCapacityException.class)`
	`253`	`+ public void acquireGuestIpv6AddressEUI64Test() throws InsufficientAddressCapacityException {`
	`254`	`+ setAcquireGuestIpv6AddressTest(true, State.Free);`
	`255`	`+ String requestedIpv6 = setCheckIfCanAllocateIpv6AddresscTest("2001:db8:13f::1c00:4aff:fe00:fe", false, false);`
	`256`	`+ ip6Manager.acquireGuestIpv6Address(network, requestedIpv6);`
	`257`	`+ }`
`251`	`258`	`}`
Original file line number	Diff line number	Diff line change
`@@ -701,4 +701,12 @@ public void testAllIpsOfDefaultNic() {`
`701`	`701`	`assertTrue(NetUtils.getAllDefaultNicIps().stream().anyMatch(defaultHostIp::contains));`
`702`	`702`	`}`
`703`	`703`	`}`
	`704`	`+`
	`705`	`+ @Test`
	`706`	`+ public void testIsIPv6EUI64() {`
	`707`	`+ assertTrue(NetUtils.isIPv6EUI64("fe80::5054:8fff:fe9f:af61"));`
	`708`	`+ assertTrue(NetUtils.isIPv6EUI64("2a00:f10:305:0:464:64ff:fe00:4e0"));`
	`709`	`+ assertFalse(NetUtils.isIPv6EUI64("2001:db8::100:1"));`
	`710`	`+ assertFalse(NetUtils.isIPv6EUI64("2a01:4f9:2a:185f::2"));`
	`711`	`+ }`
`704`	`712`	`}`