[neutron][ovn] ipv6 in virtual networks
Hi all, I have a test env with OpenStack Ussuri and OVN deployed by kolla-ansible. I'm struggling with IPv6 VMs addressing. Has anyone deployed such configuration successfully? What is working: - SLAAC for VMs IPv6 addressing - VMs configure IPv6 addresses and can ping each other via IPv6 - VMs can ping virtual router's fe80:: address - OVN is sending ICMPv6 RA packets periodically on virtual private networks What is not working: - VMs can't ping virtual router's private network IPv6 address specified in virtual network configuration in Neutron (IPv6 GUA), I see ICMPv6 echo request packets on tapXXXXX interfaces with a correct DEST MAC, but there are no responses. - Routing is not working at all Besides those, I can't imagine how upstream router will know how to reach a particular private network with GUA IPv6 addresses (to which virtual router send packets to reach a particular private network?). I have a standard external network with IPv6 GUA /64 subnet and virtual routers which connects private networks with IPv6 GUA /64 subnets with external network. I thought that OVN virtual router will send ICMPv6 RA packets on external network with reachable prefixes and upstream router will learn routing info from those but I don't see any RA packets sent by OVN on external network, I see only RA packets from an upstream router. How this should work and be configured? How to configure GUA IPv6 addresses on virtual private networks? Is it supported by Neutron/OVN? Looking forward any responses regarding this area because documentation does not exist technically. Thanks!
On 2/10/21 1:11 PM, Piotr Misiak wrote:
Hi all,
I have a test env with OpenStack Ussuri and OVN deployed by kolla-ansible.
I'm struggling with IPv6 VMs addressing. Has anyone deployed such configuration successfully?
What is working:
- SLAAC for VMs IPv6 addressing - VMs configure IPv6 addresses and can ping each other via IPv6
- VMs can ping virtual router's fe80:: address
- OVN is sending ICMPv6 RA packets periodically on virtual private networks
What is not working:
- VMs can't ping virtual router's private network IPv6 address specified in virtual network configuration in Neutron (IPv6 GUA), I see ICMPv6 echo request packets on tapXXXXX interfaces with a correct DEST MAC, but there are no responses.
That should work AFAIK, just don't have a devstack to try it on at the moment, sorry.
- Routing is not working at all
Besides those, I can't imagine how upstream router will know how to reach a particular private network with GUA IPv6 addresses (to which virtual router send packets to reach a particular private network?). I have a standard external network with IPv6 GUA /64 subnet and virtual routers which connects private networks with IPv6 GUA /64 subnets with external network. I thought that OVN virtual router will send ICMPv6 RA packets on external network with reachable prefixes and upstream router will learn routing info from those but I don't see any RA packets sent by OVN on external network, I see only RA packets from an upstream router. How this should work and be configured? How to configure GUA IPv6 addresses on virtual private networks? Is it supported by Neutron/OVN?
IPv6 prefix delegation is what you want, it's one of the 'gaps' with ML2/OVS, https://bugs.launchpad.net/neutron/+bug/1895972 There is a list of known items at https://docs.openstack.org/neutron/latest/ovn/gaps.html So in order to use a globally-reachable IPv6 address you should use a port from a provider network in the instance.
Looking forward any responses regarding this area because documentation does not exist technically.
All the docs were copied over to neutron so should be visible at https://docs.openstack.org/neutron/latest/ -Brian
On 10.02.2021 21:08, Brian Haley wrote:
On 2/10/21 1:11 PM, Piotr Misiak wrote:
- Routing is not working at all
Besides those, I can't imagine how upstream router will know how to reach a particular private network with GUA IPv6 addresses (to which virtual router send packets to reach a particular private network?). I have a standard external network with IPv6 GUA /64 subnet and virtual routers which connects private networks with IPv6 GUA /64 subnets with external network. I thought that OVN virtual router will send ICMPv6 RA packets on external network with reachable prefixes and upstream router will learn routing info from those but I don't see any RA packets sent by OVN on external network, I see only RA packets from an upstream router. How this should work and be configured? How to configure GUA IPv6 addresses on virtual private networks? Is it supported by Neutron/OVN?
IPv6 prefix delegation is what you want, it's one of the 'gaps' with ML2/OVS, https://bugs.launchpad.net/neutron/+bug/1895972
There is a list of known items at https://docs.openstack.org/neutron/latest/ovn/gaps.html
So in order to use a globally-reachable IPv6 address you should use a port from a provider network in the instance.
Thanks Brian for the prompt response. Does this mean that the only functional IPv6 scenario in Neutron/OVN is where VMs are directly connected to an IPv6 GUA provider network? BGP peering is not supported in Neutron/OVN, so virtual routers cannot advertise their prefixes (use case where private network prefix is manually specified by the user or it is automatically assigned from a default IPv6 subnet-pool defined in Neutron) IPv6 PD is not supported in Neutron/OVN, so virtual routers cannot request an IPv6 prefix from an upstream router Thanks
Hey there, On 11/02/2021 12:20, Piotr Misiak wrote:
So in order to use a globally-reachable IPv6 address you should use a port from a provider network in the instance.
Thanks Brian for the prompt response.
Does this mean that the only functional IPv6 scenario in Neutron/OVN is where VMs are directly connected to an IPv6 GUA provider network?
I ran into a similar question a while back: http://lists.openstack.org/pipermail/openstack-discuss/2020-June/015682.html But there I was wondering / discussing if requesting a prefix larger than /64 was possible to allow using that routed prefix to host i.e. a VPN solution. Prefix delegation of GUA prefixes implemented in Neutron apparently: https://blueprints.launchpad.net/neutron/+spec/ipv6-prefix-delegation And to me prefix delegation of a global unicast address prefix (GUA) seems like the cleanest solution. Regards Christian
On 11.02.2021 14:12, Christian Rohmann wrote:
Hey there,
On 11/02/2021 12:20, Piotr Misiak wrote:
So in order to use a globally-reachable IPv6 address you should use a port from a provider network in the instance.
Thanks Brian for the prompt response.
Does this mean that the only functional IPv6 scenario in Neutron/OVN is where VMs are directly connected to an IPv6 GUA provider network?
I ran into a similar question a while back: http://lists.openstack.org/pipermail/openstack-discuss/2020-June/015682.html But there I was wondering / discussing if requesting a prefix larger than /64 was possible to allow using that routed prefix to host i.e. a VPN solution.
Prefix delegation of GUA prefixes implemented in Neutron apparently: https://blueprints.launchpad.net/neutron/+spec/ipv6-prefix-delegation And to me prefix delegation of a global unicast address prefix (GUA) seems like the cleanest solution.
Thanks Christian for the comments. Unfortunately in Neutron/OVN configuration the IPv6-PD is not supported (yet?).
On 2/11/21 6:20 AM, Piotr Misiak wrote:
On 10.02.2021 21:08, Brian Haley wrote:
On 2/10/21 1:11 PM, Piotr Misiak wrote:
- Routing is not working at all
Besides those, I can't imagine how upstream router will know how to reach a particular private network with GUA IPv6 addresses (to which virtual router send packets to reach a particular private network?). I have a standard external network with IPv6 GUA /64 subnet and virtual routers which connects private networks with IPv6 GUA /64 subnets with external network. I thought that OVN virtual router will send ICMPv6 RA packets on external network with reachable prefixes and upstream router will learn routing info from those but I don't see any RA packets sent by OVN on external network, I see only RA packets from an upstream router. How this should work and be configured? How to configure GUA IPv6 addresses on virtual private networks? Is it supported by Neutron/OVN?
IPv6 prefix delegation is what you want, it's one of the 'gaps' with ML2/OVS, https://bugs.launchpad.net/neutron/+bug/1895972
There is a list of known items at https://docs.openstack.org/neutron/latest/ovn/gaps.html
So in order to use a globally-reachable IPv6 address you should use a port from a provider network in the instance.
Thanks Brian for the prompt response.
Does this mean that the only functional IPv6 scenario in Neutron/OVN is where VMs are directly connected to an IPv6 GUA provider network?
For your intended purpose, yes. You can still have a tenant with IPv6 private networks and OVN will route East/West between them.
BGP peering is not supported in Neutron/OVN, so virtual routers cannot advertise their prefixes (use case where private network prefix is manually specified by the user or it is automatically assigned from a default IPv6 subnet-pool defined in Neutron)
IPv6 PD is not supported in Neutron/OVN, so virtual routers cannot request an IPv6 prefix from an upstream router
Correct, that was the bug I linked above. -Brian
participants (3)
-
Brian Haley
-
Christian Rohmann
-
Piotr Misiak