==== Minutes of IPv6 Project Meeting on March 13, 2015 ====

  * ''Date and Time'': UTC 15:00, Friday March 13, 2015
  * ''Convenor'': Bin Hu (AT&T)
  * ''Participants'':
    * Al Morton (AT&T)
    * Hui Deng (China Mobile)
    * Iben Rodriguez (Spirent)
    * Jonne Soininen (Nokia)
    * Manuel Rebellon (Sandvine)
    * Mark Medina (ClearPath)
    * Sridhar Gaddam (RedHat)

  * Admin Update

None

  * Review of Action Items
    * Looking into IPv6 First-Hop Security, and use cases of Static IPv6 and Sub-delegation

Both Jonne and Bin looked into Cisco's article [[http://www.cisco.com/web/about/security/intelligence/ipv6_first_hop.html| IPv6 First-Hop Security]]. Both felt that this is a good article about the potential threats/concerns at the first-hop of IPv6 infrastructure. We need to have a deep dive of their solution and guidelines to decide whether or not we need to this feature.

Jonne got the action to further look into the need of IPv6 First-Hop security feature.

Sridhar shared a [[https://bugs.launchpad.net/neutron/+bug/1274034| bug report]] and a set of [[https://review.openstack.org/#/q/topic:bug/1274034,n,z| patches]] with regard to ARP spoofing. Sridhar got an action of further looking into those patches, and will report his findings of how well IPv6 First-Hop Security can be addressed in those patches, and if there is any gaps.

    * Revision of PoC 1 design - dual stack, terminology change and 2 diagrams

Mark updated the terminology in the diagram. The others are work in progress, and will give further update next week.

    * Anti-spoofing workaround - Mark, Sridhar and Iben

Sridhar shared his findings in [[http://lists.opnfv.org/pipermail/opnfv-tech-discuss/2015-March/001584.html| mailing list]]. The conclusion is that because of the anti-spoofing rule, we will not be able to run a router (i.e., forwarding use-case) inside the VM. In-order to support this requirement, we would need the [[http://specs.openstack.org/openstack/neutron-specs/specs/kilo/ml2-ovs-portsecurity.html| port-security 
extension]] proposed for kilo.

The group discussed alternatives. The consensus is that we may need a small patch for Neutron to disable the anti-spoofing rule in Juno in order to achieve a successful demo. Sridhar got an action to provide this patch.

  * Next Steps / New Actions
    * Looking into IPv6 First-Hop Security, and use cases of Static IPv6 and Sub-delegation
      * Jonne does a deep-dive and further looks into the need of IPv6 First-Hop Security feature
      * Sridhar looks into how well IPv6 First-Hop Security can be addressed in [[https://review.openstack.org/#/q/topic:bug/1274034,n,z| patches]], and if there is any gaps
    * Revision of PoC 1 design - dual stack, terminology change and 2 diagrams
      * Mark further works on the new diagram
    * Anti-spoofing patch to disable anti-spoofing rule in Neutron of Juno
      * Sridhar works on the patch

Meeting adjourned.