While testing the SDN in VLAN mode, I noticed that SDN interfaces on a PVE host have a link-local IPv6 address, is this expected behavior? You can use this link-local address to access the PVE host from a VM on a VLAN-mode SDN interface.
I feel like there shouldn't be any address configured on an SDN interface when running in VLAN mode, since these are only layer-2 bridge interfaces and are only supposed to be used by VMs.
---
Here's what I mean; I created a VLAN zone named "demo" utilizing the "vmbr0" bridge present on the host.
Then I created a new VNet named "Servers" in the zone utilizing vlan tag 50.
from my PVE host, note the link-local and MAC addresses
then I add a VM to the Server SDN interface, and I can reach the PVE MGMT interface from the VM:
---
the default SDN configuration needlessly exposes PVE management to any host on an SDN VLAN VNet if not explicitly blocked by a datacenter or host-level firewall rule. I feel like this shouldn't be default behavior.
If SDN is in VLAN mode and acting solely as a bridge interface, should the interface really have a link-local address? can this be mitigated by proxmox creating these SDN interfaces without a link-local address/IPv6 disabled at the interface level?
Is there something I'm maybe missing or have misunderstood about Proxmox/Linux networking, or just failed to consider?
Thanks.
I feel like there shouldn't be any address configured on an SDN interface when running in VLAN mode, since these are only layer-2 bridge interfaces and are only supposed to be used by VMs.
---
Here's what I mean; I created a VLAN zone named "demo" utilizing the "vmbr0" bridge present on the host.
Then I created a new VNet named "Servers" in the zone utilizing vlan tag 50.
from my PVE host, note the link-local and MAC addresses
Code:
root@px1:~# ip a show dev Servers
17: Servers: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 42:d2:9e:e2:b6:46 brd ff:ff:ff:ff:ff:ff
inet6 fe80::40d2:9eff:fee2:b646/64 scope link
valid_lft forever preferred_lft foreverthen I add a VM to the Server SDN interface, and I can reach the PVE MGMT interface from the VM:
Code:
# I can see neighborship to the PVE host
[hlopez@web1 ~]$ ip -6 n | grep fe80::40d2:9eff:fee2:b646
fe80::40d2:9eff:fee2:b646 dev ens18 lladdr 42:d2:9e:e2:b6:46 router REACHABLE
# I can ping the PVE host
[hlopez@web1 ~]$ ping fe80::40d2:9eff:fee2:b646%ens18
PING fe80::40d2:9eff:fee2:b646%ens18(fe80::40d2:9eff:fee2:b646%ens18) 56 data bytes
64 bytes from fe80::40d2:9eff:fee2:b646%ens18: icmp_seq=1 ttl=64 time=0.218 ms
^C
--- fe80::40d2:9eff:fee2:b646%ens18 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.218/0.218/0.218/0.000 ms
# I can hit web/ssh management via link-local
[hlopez@web1 ~]$ ssh root@fe80::40d2:9eff:fee2:b646%ens18
root@fe80::40d2:9eff:fee2:b646%ens18's password:
[hlopez@web1 ~]$ curl https://[fe80::40d2:9eff:fee2:b646%ens18]:8006 --insecure -s | grep Virtual
<title>px1 - Proxmox Virtual Environment</title>---
the default SDN configuration needlessly exposes PVE management to any host on an SDN VLAN VNet if not explicitly blocked by a datacenter or host-level firewall rule. I feel like this shouldn't be default behavior.
If SDN is in VLAN mode and acting solely as a bridge interface, should the interface really have a link-local address? can this be mitigated by proxmox creating these SDN interfaces without a link-local address/IPv6 disabled at the interface level?
Is there something I'm maybe missing or have misunderstood about Proxmox/Linux networking, or just failed to consider?
Thanks.
