openstack team mailing list archive

[Vishvananda Ishaya <vishvananda@xxxxxxxxx>]

On Apr 10, 2012, at 4:24 PM, Justin Santa Barbara wrote:

> One advantage of a network metadata channel is it allows for communication with cloud provider services without having to put a key into the vm. In other words, the vm can be authenticated via its ipv6 address.
> 
> Did you have a use case in mind here?  It seems that Keystone could use the IPV6 address to authenticate an instance without having to upload credentials, which would indeed be useful (e.g. for auto-scaling), but I don't see why that needs any special metadata support (?)

Arbitrarily allowing keystone to authenticate ipv6 would be vulnerable to spoofing. You need a channel direct from guest-host-keystone to be sure..  I think authentication is the main concern, because if auth is over a secure channel, then you can do all of the other communication over the regular internet. The vm could connect to the control domain for a service by subscribing to a message queue (for example) via a public ip.

You could also secure the channel by having a private network attached to the vm and only putting the control domain for the service on the private network. Having keystone validate ipv6 only over that network might be an option.

Vish