<div dir="ltr">That really depends on if you want Openstack to play an active role.<div><br></div><div>If the VMs are only connected to the Provider/External network on VLAN51, than SLAAC should happen without Openstack being involved. If you tcpdump on those VM, you should have seen the RA or some kind of traffic arrive.</div><div><br></div><div>If the VMs are getting the RA for the qrouter in Openstack, I do believe that your gateway might become the link-local on that qrouter. This means that the qrouter is now processing the out of subnet traffic for those VMs. That might not be the expected flow.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 8, 2022 at 9:14 PM Marc-Antoine Godde <<a href="mailto:marc-antoine.godde@viarezo.fr">marc-antoine.godde@viarezo.fr</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;">Hello,<div><br></div><div>Indeed, this network is connected to our physical network (VLAN 51 for testing), xxxx:xxxx:2f1:aaaa::1 is an interface on our physical router.</div><div><br></div><div>Finally, we successfully started RADVD by adding a network interface in the subnet to a virtual router in OpenStack. This gave IPs to VMs, they were able to communicate between each other. Obviously, this network topology isn’t making any sense, we can’t route traffic outside. It was just for testing.</div><div><br></div><div>Now, the goal is route the traffic of VMs. I see two paradigms. The first one, we use our physical router to send RA directly to VMs. The second one, we use a private subnet (<span style="color:rgb(0,0,0)">xxxx:xxxx:2f1:bbbb::/64 for instance) in a non external network of OpenStack. We add a virtual router to that subnet, we now have RADVD. We use that router to route traffic to an external network of OpenStack. What is best ?</span></div><div><font color="#000000"><span><br></span></font></div><div><font color="#000000"><span>Marc-Antoine<br></span></font><div><br><blockquote type="cite"><div>Le 8 mars 2022 à 23:47, Brian Haley <<a href="mailto:haleyb.dev@gmail.com" target="_blank">haleyb.dev@gmail.com</a>> a écrit :</div><br><div><span style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline">Hi Marc-Antoine,</span><br style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><span style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline">See inline...</span><br style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><span style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline">On 3/8/22 11:18, Marc-Antoine Godde wrote:</span><br style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><blockquote type="cite" style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">Hi,<br>Here’s what we’ve done.<br>We created a network:<br>Name<br>   ipv6-testing-network<br>ID<br>   9d5ca309-1861-4422-bcff-8818f9762a6f<br>Project ID<br>   653f5a2e60d34768a8629e5d4fca0738<br>Status<br>   Active<br>Admin State<br>   UP<br>Shared<br>   Yes<br>External Network<br>   Yes<br>MTU<br>   1500<br>Provider Network<br>   Network Type: vlan<br>   Physical Network: vlan<br>   Segmentation ID: 51<br></blockquote><br style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><span style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline">So this is an external provider network connected to your datacenter network, correct? In the case Slawek was describing I believe he was talking about an internal private network, which when a neutron router is attached will trigger radvd to be spawned, etc.</span><br style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><span style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline">In this case VMs booted on this network should be seeing RAs from your datacenter router, if it's sending them. If it's not that would explain why they only have a link-local IPv6 address since the neutron router will not spawn radvd to run on the external network.</span><br style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><span style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline">BTW, I'm trying to compare this to my local setup, but since I'm not running Horizon just using 'openstack network show...', 'openstack subnet show...' output, which is slightly different, but looks to match what you're doing.</span><br style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><span style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline">Is your plan to have private IPv6 subnets that are then routed to your external network or is this just a test?</span><br style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><span style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline">-Brian</span><br style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><blockquote type="cite" style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">We created a subnet:<br>Name<br>   ipv6-testing-v6<br>ID<br>   763771d4-b9d7-419a-ba04-97ce3abaf152<br>Project ID<br>   653f5a2e60d34768a8629e5d4fca0738<br>Network Name<br>   ipv6-testing-network<br>Network ID<br>   9d5ca309-1861-4422-bcff-8818f9762a6f<br>   <<a href="https://openstack.viarezo.fr/project/networks/9d5ca309-1861-4422-bcff-8818f9762a6f/detail" target="_blank">https://openstack.viarezo.fr/project/networks/9d5ca309-1861-4422-bcff-8818f9762a6f/detail</a>><br>Subnet Pool<br>   None<br>IP Version<br>   IPv6<br>CIDR<br>   xxxx:xxxx:2f1:aaaa::/64<br>IP Allocation Pools<br>   Start xxxx:xxxx:2f1:aaaa::2 - End xxxx:xxxx:2f1:aaaa:ffff:ffff:ffff:ffff<br>Gateway IP<br>   xxxx:xxxx:2f1:aaaa::1<br>DHCP Enabled<br>   Yes<br>IPv6 Address Configuration Mode<br>   SLAAC: Address discovered from OpenStack Router<br>Additional Routes<br>   None<br>DNS Name Servers<br>   None<br>We created Ubuntu and Debian instances. According to Horizon, the instance IPv6 is xxxx:xxxx:2f1:aaaa:f816:3eff:fe6d:c41a. Yet, we only have a link local address which is fe80::f816:3eff:fe6d:c41a/64. TCPdump indicates no Router Advertisement. We tried with and without adding a router on the Network in Horizon. ICMPv6 is authorized in INGRESS from ::/0.<br>We checked on the controllers, the computes and in the Neutron containers, systemctl indicated no instance of RADVD. Maybe we checked incorrectly...<br>Do you have any suggestions ? I add that we are working with OpenStack Ussuri deployed with OpenStack-ansible.<br>Thanks,<br>Marc-Antoine<br><blockquote type="cite">Le 8 mars 2022 à 08:59, Slawek Kaplonski <<a href="mailto:skaplons@redhat.com" target="_blank">skaplons@redhat.com</a><span> </span><<a href="mailto:skaplons@redhat.com" target="_blank">mailto:skaplons@redhat.com</a>>> a écrit :<br><br>Hi,<br><br>On poniedziałek, 7 marca 2022 10:36:30 CET Marc-Antoine Godde wrote:<br><blockquote type="cite">Hello,<br><br>Thanks for your answer.<br><br>If I’m correct, we can just use a virtual router with SLAAC since RADVD can deal with RS and emit RA (with support for RFC6106), right ?<br></blockquote><br>Yes, virtual router created in the Neutron is enough there. It will spawn radvd in the qrouter namespace and will send RA to the Vms.<br>Please note that Neutron don't supports privacy extension [1] so You will need to make sure that it's disabled it on Your vms.<br><br><blockquote type="cite">More generally, aren’t we suppose to have a virtual router every time, even in DHCPv6 (stateless and statefull), to answer RS ? I have to admit that I’m not very familiar at the moment with the implementations of RFCs in OpenStack.<br><br>Currently, we prefer the idea of adding IPv6 through SLAAC to have a uniform network. If we do so, we’d like to avoid sending RA from our physical router to limit its load. Yet, we do not any other arguments to support this choice.<br>Do you have any recommendations on what to do in latest versions of OpenStack ? What is usually done ?<br></blockquote><br>TBH I don't have such experience. That's more question to operators of OpenStack.<br><br><blockquote type="cite"><br>Thanks,<br>Marc-Antoine<br><br><blockquote type="cite">Le 7 mars 2022 à 09:12, Slawek Kaplonski <<a href="mailto:skaplons@redhat.com" target="_blank">skaplons@redhat.com</a><span> </span><<a href="mailto:skaplons@redhat.com" target="_blank">mailto:skaplons@redhat.com</a>>> a écrit :<br><br>Hi,<br><br>On poniedziałek, 7 marca 2022 02:36:24 CET Marc-Antoine Godde wrote:<br><blockquote type="cite">Hello.<br><br>We are progressively adding support for IPv6 in my company. We decided to use SLAAC only for laptops, phones, … since DHCPv6 isn’t supported on Android. RDNSS support will also increase. We are now planning our deployment on OpenStack. We already know that we'll rely only on neutron but we are not yet fixed between DHCPv6 and SLAAC ? Do you have any arguments for one these for VMs ?<br><br>Thanks,<br>Marc-Antoine.<br><br></blockquote><br>With SLAAC You need to have Your network connected to the router in Neutron and You can only configure IP address on the VM. With DHCPv6 You can configure other things, like some static-routes, etc.<br>Neutron supports DHCPv6 in the stateful and stateless variants. With stateless, You are using RA for address configuration and DHCP server for other configation. Please see [1] for more details.<br><br>[1]<span> </span><a href="https://docs.openstack.org/neutron/latest/admin/config-ipv6.html#address-modes-for-ports" target="_blank">https://docs.openstack.org/neutron/latest/admin/config-ipv6.html#address-modes-for-ports</a><<a href="https://docs.openstack.org/neutron/latest/admin/config-ipv6.html#address-modes-for-ports" target="_blank">https://docs.openstack.org/neutron/latest/admin/config-ipv6.html#address-modes-for-ports</a>><br><br></blockquote><br><br></blockquote><br>[1]<a href="https://datatracker.ietf.org/doc/html/rfc4941" target="_blank">https://datatracker.ietf.org/doc/html/rfc4941</a><span> </span><<a href="https://datatracker.ietf.org/doc/html/rfc4941" target="_blank">https://datatracker.ietf.org/doc/html/rfc4941</a>><br><br>--<br>Slawek Kaplonski<br>Principal Software Engineer<br>Red Hat</blockquote></blockquote></div></blockquote></div><br></div></div></blockquote></div>