[neutron] DVR / IPv6 on provider network instead?
Hi, Should I assume that the statement: "IPv6 traffic is not distributed, even when DVR is enabled. IPv6 routing does work, but all ingress/egress traffic must traverse through the centralized Controller node. Customers that are extensively using IPv6 routing are advised not to use DVR at this time." is still true in Stein and later (we are running Stein for now, which is why I explicitly mentioned this version)? If so, is there a possibility of using a provider network that is connected to all compute nodes where IPv6 subnets are issued to tenants from a subnet pool, with traffic being routed directly to an external router (not a Neutron router) using Linux Bridge instead of OVS? Yet, still use port security? Just trying to figure out the best way to support IPv6 without forwarding all traffic through a single network node, while using DVR for IPv4. Also, unrelated, but hopefully a quick question... is the "internal" or "external" label on a network just used for filtering lists, such as for "openstack network list --external"? or does it change the behavior of anything? Thanks! Eric
On 6/27/20 11:52 PM, Eric K. Miller wrote:
Hi,
Should I assume that the statement:
"IPv6 traffic is not distributed, even when DVR is enabled. IPv6 routing does work, but all ingress/egress traffic must traverse through the centralized Controller node. Customers that are extensively using IPv6 routing are advised not to use DVR at this time."
is still true in Stein and later (we are running Stein for now, which is why I explicitly mentioned this version)?
If so, is there a possibility of using a provider network that is connected to all compute nodes where IPv6 subnets are issued to tenants from a subnet pool, with traffic being routed directly to an external router (not a Neutron router) using Linux Bridge instead of OVS? Yet, still use port security?
Just trying to figure out the best way to support IPv6 without forwarding all traffic through a single network node, while using DVR for IPv4.
The other way would be to enhance the dr-agent, IPv4 support for DVR was added recently. https://docs.openstack.org/neutron-dynamic-routing/latest/ There is also some ongoing work to better support IPv6 "fast exit" at https://review.opendev.org/#/c/662111/ -Brian
Also, unrelated, but hopefully a quick question… is the "internal" or "external" label on a network just used for filtering lists, such as for "openstack network list --external"? or does it change the behavior of anything?
Thanks!
Eric
The other way would be to enhance the dr-agent, IPv4 support for DVR was added recently.
https://docs.openstack.org/neutron-dynamic-routing/latest/
There is also some ongoing work to better support IPv6 "fast exit" at https://review.opendev.org/#/c/662111/
Thanks for the response Brian. Definitely something that seems critically important for service providers. Since we have to use a provider network today, I'm assuming assigning a PTR record with Designate doesn't work (openstack ptr record set)? Seems like it will only associate a PTR record with a floating IP, and a fixed IP assigned to a provider network doesn't qualify (I'm making an assumption here - this hasn't been tested). I'm trying to determine whether we need to handle reverse DNS separate from OpenStack, which would be a bummer. Eric
participants (2)
-
Brian Haley
-
Eric K. Miller