do not expose ports over IPv6 unless published

[ibukanov]

Currently with IPv6 in practice port publishing is no-op. With IPv6 it is expected that a container that is exposed to outside world should have globally routable IPv6 address so all its ports are exposed.

This is bad from a security point of view as it makes very easy to accidentally expose a port that should only be open to members of a docker network. Case in point is a password-less database container that is a part of an application that is exposed over IPv6 to Internet. With typical images unless one is careful such DB container can also be exposed to the internet over IPv6.

It would be nice if docker provide a setting so only ports that are explicitly exposed on the command line will be reachable over IPv6 from outside a docker network. Other ports should be blocked by a firewall rule.

[thaJeztah]

/cc @mavenugo

[robbertkl]

For this purpose, I've created docker-ipv6nat. You give your containers non-routable addresses and published ports are forwarded to your containers, just like with IPv4. Probably IPv6 NAT won't make it into Docker anytime soon (or at all), so for a solution in the meantime, you could give this a try.

[thaJeztah]

@robbertkl thanks for sharing! 👍

[LK4D4]

ping @mavenugo @sanimej @aboch

[treysis]

will we see a solution to this eventually?

[ell1e]

It seems like moby/libnetwork#2572 might either solve this, or provide the foundation for a proper solution. I'm not sure though how far docker itself already uses/exposes this functionality