On 6/26/20 11:41 AM, Christian Rohmann wrote:
Hello OpenStack-Discuss,
Hi Christian,
I have a use case in which an instance / VM is hosting i.e. an OpenVPN gateway which shall be doing some routing / networking by itself. For that purpose one would like to have a global unique IPv6 prefix delegated and routed to it to, which it can in turn give out to its VPN clients. This can and should not be cut out of the on-link network that is provided by Neutron and used to connect the instance itself.
If you look at https://community.openvpn.net/openvpn/wiki/IPv6, which has a section *Details: IPv6 routed block* explaining just how that is one intended approach on how to do it.
I am now wondering if the existing DHCPv6 prefix delegation implemented in OpenStack is capable of providing a prefix to an instance. Digging a little into what can be found online I ran into this Etherpad doc https://etherpad.opendev.org/p/neutron-kilo-prefix-delegation (linked to on https://wiki.openstack.org/wiki/Neutron/IPv6/PrefixDelegation)
The Neutron implementation of IPv6 PD doesn't support the use case you're describing, allocating an entire /64 to a device/neutron port. The Neutron router can only do PD, then advertise the /64 it received on a downstream IPv6 subnet. While this does give the instance an IPv6 address that is globally unique, it's just the single address. There is a neutron-vpnaas project, https://docs.openstack.org/neutron-vpnaas/latest/ and I've cc'd Dongcan Ye, he would know more about VPNaas setup related to Neutron, I'm just not that familiar with it myself. -Brian
There is a list of use-cases, the second one being exactly what I described above:
[...]
Use cases:
We need to allocate addresses to ports from an external or providernetwork, and route them via Neutron routers.
We wish to allocate whole prefixes to devices (and their specific neutron port) on demand. A port must be authorised via the API for a prefix. The prefix could be issued to the device via PD (since the device has to discover the prefix it's been given).
[...]
But to my understanding the spec used to implement the current IPv6 networking and also prefix delegation mechanism, also mentioned this use case as an "limitation and future enhancement" - see: https://specs.openstack.org/openstack/neutron-specs/specs/liberty/ipv6-prefi...
Does anyone have any thoughts on this matter of dedicating a prefix and and routingits traffic to a VM, but not just a subnet?
Regards
Christian