IPv6 deployment on OpenStack

Brian Haley haleyb.dev at gmail.com
Wed Mar 9 17:14:20 UTC 2022


Hi,

On 3/9/22 10:01, Marc-Antoine Godde wrote:
> Hello,
> 
> Thanks for these information. Indeed, we were obtaining link-local 
> address for the gateway with the OpenStack router.
> 
> Even if it’s contrary to the RFC, do yo know if it’s possible to send RA 
> from OpenStack on behalf of our datacenter router ? That way, we could 
> limit the load on our datacenter router.

 From my memory of the RFCs, the link-local of the sender is important 
in the RA message, but I could be remembering it wrong, or there could 
be an option to override that. I can't say I've seen it been done like this.

Is the load really that much to send periodic RAs and respond to RSs? 
Most routers have supported this for 15+ years by now so should be able 
to handle it.

-Brian

>> On 9 Mar 2022, at 03:28, Laurent Dumont <laurentfdumont at gmail.com> wrote:
>>
>> 
>> That really depends on if you want Openstack to play an active role.
>>
>> If the VMs are only connected to the Provider/External network on 
>> VLAN51, than SLAAC should happen without Openstack being involved. If 
>> you tcpdump on those VM, you should have seen the RA or some kind of 
>> traffic arrive.
>>
>> If the VMs are getting the RA for the qrouter in Openstack, I do 
>> believe that your gateway might become the link-local on that qrouter. 
>> This means that the qrouter is now processing the out of subnet 
>> traffic for those VMs. That might not be the expected flow.
>>
>> On Tue, Mar 8, 2022 at 9:14 PM Marc-Antoine Godde 
>> <marc-antoine.godde at viarezo.fr <mailto:marc-antoine.godde at viarezo.fr>> 
>> wrote:
>>
>>     Hello,
>>
>>     Indeed, this network is connected to our physical network (VLAN 51
>>     for testing), xxxx:xxxx:2f1:aaaa::1 is an interface on our
>>     physical router.
>>
>>     Finally, we successfully started RADVD by adding a network
>>     interface in the subnet to a virtual router in OpenStack. This
>>     gave IPs to VMs, they were able to communicate between each other.
>>     Obviously, this network topology isn’t making any sense, we can’t
>>     route traffic outside. It was just for testing.
>>
>>     Now, the goal is route the traffic of VMs. I see two paradigms.
>>     The first one, we use our physical router to send RA directly to
>>     VMs. The second one, we use a private subnet
>>     (xxxx:xxxx:2f1:bbbb::/64 for instance) in a non external network
>>     of OpenStack. We add a virtual router to that subnet, we now have
>>     RADVD. We use that router to route traffic to an external network
>>     of OpenStack. What is best ?
>>
>>     Marc-Antoine
>>
>>>     Le 8 mars 2022 à 23:47, Brian Haley <haleyb.dev at gmail.com
>>>     <mailto:haleyb.dev at gmail.com>> a écrit :
>>>
>>>     Hi Marc-Antoine,
>>>
>>>     See inline...
>>>
>>>     On 3/8/22 11:18, Marc-Antoine Godde wrote:
>>>>     Hi,
>>>>     Here’s what we’ve done.
>>>>     We created a network:
>>>>     Name
>>>>        ipv6-testing-network
>>>>     ID
>>>>        9d5ca309-1861-4422-bcff-8818f9762a6f
>>>>     Project ID
>>>>        653f5a2e60d34768a8629e5d4fca0738
>>>>     Status
>>>>        Active
>>>>     Admin State
>>>>        UP
>>>>     Shared
>>>>        Yes
>>>>     External Network
>>>>        Yes
>>>>     MTU
>>>>        1500
>>>>     Provider Network
>>>>        Network Type: vlan
>>>>        Physical Network: vlan
>>>>        Segmentation ID: 51
>>>
>>>     So this is an external provider network connected to your
>>>     datacenter network, correct? In the case Slawek was describing I
>>>     believe he was talking about an internal private network, which
>>>     when a neutron router is attached will trigger radvd to be
>>>     spawned, etc.
>>>
>>>     In this case VMs booted on this network should be seeing RAs from
>>>     your datacenter router, if it's sending them. If it's not that
>>>     would explain why they only have a link-local IPv6 address since
>>>     the neutron router will not spawn radvd to run on the external
>>>     network.
>>>
>>>     BTW, I'm trying to compare this to my local setup, but since I'm
>>>     not running Horizon just using 'openstack network show...',
>>>     'openstack subnet show...' output, which is slightly different,
>>>     but looks to match what you're doing.
>>>
>>>     Is your plan to have private IPv6 subnets that are then routed to
>>>     your external network or is this just a test?
>>>
>>>     -Brian
>>>
>>>
>>>>     We created a subnet:
>>>>     Name
>>>>        ipv6-testing-v6
>>>>     ID
>>>>        763771d4-b9d7-419a-ba04-97ce3abaf152
>>>>     Project ID
>>>>        653f5a2e60d34768a8629e5d4fca0738
>>>>     Network Name
>>>>        ipv6-testing-network
>>>>     Network ID
>>>>        9d5ca309-1861-4422-bcff-8818f9762a6f
>>>>        <https://openstack.viarezo.fr/project/networks/9d5ca309-1861-4422-bcff-8818f9762a6f/detail
>>>>     <https://openstack.viarezo.fr/project/networks/9d5ca309-1861-4422-bcff-8818f9762a6f/detail>>
>>>>     Subnet Pool
>>>>        None
>>>>     IP Version
>>>>        IPv6
>>>>     CIDR
>>>>        xxxx:xxxx:2f1:aaaa::/64
>>>>     IP Allocation Pools
>>>>        Start xxxx:xxxx:2f1:aaaa::2 - End
>>>>     xxxx:xxxx:2f1:aaaa:ffff:ffff:ffff:ffff
>>>>     Gateway IP
>>>>        xxxx:xxxx:2f1:aaaa::1
>>>>     DHCP Enabled
>>>>        Yes
>>>>     IPv6 Address Configuration Mode
>>>>        SLAAC: Address discovered from OpenStack Router
>>>>     Additional Routes
>>>>        None
>>>>     DNS Name Servers
>>>>        None
>>>>     We created Ubuntu and Debian instances. According to Horizon,
>>>>     the instance IPv6 is xxxx:xxxx:2f1:aaaa:f816:3eff:fe6d:c41a.
>>>>     Yet, we only have a link local address which is
>>>>     fe80::f816:3eff:fe6d:c41a/64. TCPdump indicates no Router
>>>>     Advertisement. We tried with and without adding a router on the
>>>>     Network in Horizon. ICMPv6 is authorized in INGRESS from ::/0.
>>>>     We checked on the controllers, the computes and in the Neutron
>>>>     containers, systemctl indicated no instance of RADVD. Maybe we
>>>>     checked incorrectly...
>>>>     Do you have any suggestions ? I add that we are working with
>>>>     OpenStack Ussuri deployed with OpenStack-ansible.
>>>>     Thanks,
>>>>     Marc-Antoine
>>>>>     Le 8 mars 2022 à 08:59, Slawek Kaplonski <skaplons at redhat.com
>>>>>     <mailto:skaplons at redhat.com><mailto:skaplons at redhat.com
>>>>>     <mailto:skaplons at redhat.com>>> a écrit :
>>>>>
>>>>>     Hi,
>>>>>
>>>>>     On poniedziałek, 7 marca 2022 10:36:30 CET Marc-Antoine Godde
>>>>>     wrote:
>>>>>>     Hello,
>>>>>>
>>>>>>     Thanks for your answer.
>>>>>>
>>>>>>     If I’m correct, we can just use a virtual router with SLAAC
>>>>>>     since RADVD can deal with RS and emit RA (with support for
>>>>>>     RFC6106), right ?
>>>>>
>>>>>     Yes, virtual router created in the Neutron is enough there. It
>>>>>     will spawn radvd in the qrouter namespace and will send RA to
>>>>>     the Vms.
>>>>>     Please note that Neutron don't supports privacy extension [1]
>>>>>     so You will need to make sure that it's disabled it on Your vms.
>>>>>
>>>>>>     More generally, aren’t we suppose to have a virtual router
>>>>>>     every time, even in DHCPv6 (stateless and statefull), to
>>>>>>     answer RS ? I have to admit that I’m not very familiar at the
>>>>>>     moment with the implementations of RFCs in OpenStack.
>>>>>>
>>>>>>     Currently, we prefer the idea of adding IPv6 through SLAAC to
>>>>>>     have a uniform network. If we do so, we’d like to avoid
>>>>>>     sending RA from our physical router to limit its load. Yet, we
>>>>>>     do not any other arguments to support this choice.
>>>>>>     Do you have any recommendations on what to do in latest
>>>>>>     versions of OpenStack ? What is usually done ?
>>>>>
>>>>>     TBH I don't have such experience. That's more question to
>>>>>     operators of OpenStack.
>>>>>
>>>>>>
>>>>>>     Thanks,
>>>>>>     Marc-Antoine
>>>>>>
>>>>>>>     Le 7 mars 2022 à 09:12, Slawek Kaplonski <skaplons at redhat.com
>>>>>>>     <mailto:skaplons at redhat.com><mailto:skaplons at redhat.com
>>>>>>>     <mailto:skaplons at redhat.com>>> a écrit :
>>>>>>>
>>>>>>>     Hi,
>>>>>>>
>>>>>>>     On poniedziałek, 7 marca 2022 02:36:24 CET Marc-Antoine Godde
>>>>>>>     wrote:
>>>>>>>>     Hello.
>>>>>>>>
>>>>>>>>     We are progressively adding support for IPv6 in my company.
>>>>>>>>     We decided to use SLAAC only for laptops, phones, … since
>>>>>>>>     DHCPv6 isn’t supported on Android. RDNSS support will also
>>>>>>>>     increase. We are now planning our deployment on OpenStack.
>>>>>>>>     We already know that we'll rely only on neutron but we are
>>>>>>>>     not yet fixed between DHCPv6 and SLAAC ? Do you have any
>>>>>>>>     arguments for one these for VMs ?
>>>>>>>>
>>>>>>>>     Thanks,
>>>>>>>>     Marc-Antoine.
>>>>>>>>
>>>>>>>
>>>>>>>     With SLAAC You need to have Your network connected to the
>>>>>>>     router in Neutron and You can only configure IP address on
>>>>>>>     the VM. With DHCPv6 You can configure other things, like some
>>>>>>>     static-routes, etc.
>>>>>>>     Neutron supports DHCPv6 in the stateful and stateless
>>>>>>>     variants. With stateless, You are using RA for address
>>>>>>>     configuration and DHCP server for other configation. Please
>>>>>>>     see [1] for more details.
>>>>>>>
>>>>>>>     [1]https://docs.openstack.org/neutron/latest/admin/config-ipv6.html#address-modes-for-ports
>>>>>>>     <https://docs.openstack.org/neutron/latest/admin/config-ipv6.html#address-modes-for-ports><https://docs.openstack.org/neutron/latest/admin/config-ipv6.html#address-modes-for-ports
>>>>>>>     <https://docs.openstack.org/neutron/latest/admin/config-ipv6.html#address-modes-for-ports>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>     [1]https://datatracker.ietf.org/doc/html/rfc4941
>>>>>     <https://datatracker.ietf.org/doc/html/rfc4941><https://datatracker.ietf.org/doc/html/rfc4941
>>>>>     <https://datatracker.ietf.org/doc/html/rfc4941>>
>>>>>
>>>>>     --
>>>>>     Slawek Kaplonski
>>>>>     Principal Software Engineer
>>>>>     Red Hat
>>



More information about the openstack-discuss mailing list