Delegating and routing an IPv6 prefix to an instance
Brian Haley
haleyb.dev at gmail.com
Fri Jun 26 18:16:05 UTC 2020
On 6/26/20 11:41 AM, Christian Rohmann wrote:
> Hello OpenStack-Discuss,
Hi Christian,
> I have a use case in which an instance / VM is hosting i.e. an OpenVPN
> gateway which shall be doing some routing / networking by itself.
> For that purpose one would like to have a global unique IPv6 prefix
> delegated and routed to it to, which it can in turn give out to its VPN
> clients.
> This can and should not be cut out of the on-link network that is
> provided by Neutron and used to connect the instance itself.
>
> If you look at https://community.openvpn.net/openvpn/wiki/IPv6, which
> has a section *Details: IPv6 routed block* explaining just how
> that is one intended approach on how to do it.
>
> I am now wondering if the existing DHCPv6 prefix delegation implemented
> in OpenStack is capable of providing a prefix to an instance.
> Digging a little into what can be found online I ran into this Etherpad
> doc https://etherpad.opendev.org/p/neutron-kilo-prefix-delegation
> (linked to on https://wiki.openstack.org/wiki/Neutron/IPv6/PrefixDelegation)
The Neutron implementation of IPv6 PD doesn't support the use case
you're describing, allocating an entire /64 to a device/neutron port.
The Neutron router can only do PD, then advertise the /64 it received on
a downstream IPv6 subnet. While this does give the instance an IPv6
address that is globally unique, it's just the single address.
There is a neutron-vpnaas project,
https://docs.openstack.org/neutron-vpnaas/latest/ and I've cc'd Dongcan
Ye, he would know more about VPNaas setup related to Neutron, I'm just
not that familiar with it myself.
-Brian
> There is a list of use-cases, the second one being exactly what I
> described above:
>
>> [...]
>>
>> Use cases:
>>
>> We need to allocate addresses to ports from an external or
>> providernetwork, and route them via Neutron routers.
>>
>> We wish to allocate whole prefixes to devices (and their specific
>> neutron port) on demand. A port must be authorised via the API for a
>> prefix. The prefix could be issued to the device via PD (since the
>> device has to discover the prefix it's been given).
>>
>> [...]
>
> But to my understanding the spec used to implement the current IPv6
> networking and also prefix delegation mechanism,
> also mentioned this use case as an "limitation and future enhancement" -
> see:
> https://specs.openstack.org/openstack/neutron-specs/specs/liberty/ipv6-prefix-delegation.html#limitations-and-future-enhancements
>
>
>
> Does anyone have any thoughts on this matter of dedicating a prefix and
> and routingits traffic to a VM, but not just a subnet?
>
>
>
> Regards
>
>
> Christian
>
>
>
>
More information about the openstack-discuss
mailing list