I guess I need to decide what options to add
Maybe Yubikey + Google authenticator would be enough? I can put it on the TODO list after the next major overhaul.So, about that overhaul. With bandwidth pooling well on its way to being merged, we're looking at completely overhauling our IPV6 platform. Here are the features I've come up with so far and wanted more feedback.
- Ability to delegate the nameservers of subnets to whatever nameservers you want
- Ability to allocate anycasted IPV6 addresses
- Ability to route additional /64's to a single IP address
- Ability to assign anycasted routed /64 subnets
- Ability to assign single anycasted IPV6 addresses from a communal /64?
- Change how IPV6 subnets are assigned*
Anything else?
We wouldn't allocate a /56 like linode does and static route it to a single VM. Customers would be able to assign/remove /64's as they please. All routing would be handled on our end making this pretty painless.
With the code merge we did for floating IP's, adding all these IPV6 improvements isn't all that difficult. This would also work perfectly fine for OpenVZ, we'd just have to force users to use VETH interfaces to make it work (just like they have to do now for anycasted addresses). You'd be able to enable/disable routing as well as change the destination IP of the static route (select box drop down).
The next big change would be to make it so we're properly allocating subnets, instead of how we do it now where users get a virtual /64 but they still have to use a /48 gateway. The idea would be that when a VPS is provisioned (more on this in a second), it'd contact our localized IPV6 routers and bind ::1/64 to its LAN facing side, and you'd have a proper /64 (it isn't autoconfigured but that's eh). Now, ideally I'd like to make it so all ::1's are bound to these V6 routers, but since there's probably a lot of users with ::1 IP's for their own things, that isn't an option (at least on old allocations).
Ultimately we'll stop using VENET all together and slowly move everyone to VETH just because it makes administration that much easier. The biggest issue is we'd have to port the scripts OpenVZ wrote to support address assignment easily.
All feedback is welcome
Francisco