Open Stack

On 6/26/20 11:41 AM, Christian Rohmann wrote:
> Hello OpenStack-Discuss,

Hi Christian,

> I have a use case in which an instance / VM is hosting i.e. an OpenVPN
> gateway which shall be doing some routing / networking by itself.
> For that purpose one would like to have a global unique IPv6 prefix
> delegated and routed to it to, which it can in turn give out to its VPN
> clients.
> This can and should not be cut out of the on-link network that is
> provided by Neutron and used to connect the instance itself.
> 
> If you look at https://community.openvpn.net/openvpn/wiki/IPv6, which
> has a section *Details: IPv6 routed block* explaining just how
> that is one intended approach on how to do it.
> 
> I am now wondering if the existing DHCPv6 prefix delegation implemented
> in OpenStack is capable of providing a prefix to an instance.
> Digging a little into what can be found online I ran into this Etherpad
> doc https://etherpad.opendev.org/p/neutron-kilo-prefix-delegation
> (linked to on https://wiki.openstack.org/wiki/Neutron/IPv6/PrefixDelegation)

The Neutron implementation of IPv6 PD doesn't support the use case 
you're describing, allocating an entire /64 to a device/neutron port.

The Neutron router can only do PD, then advertise the /64 it received on 
a downstream IPv6 subnet.  While this does give the instance an IPv6 
address that is globally unique, it's just the single address.

There is a neutron-vpnaas project, 
https://docs.openstack.org/neutron-vpnaas/latest/ and I've cc'd Dongcan 
Ye, he would know more about VPNaas setup related to Neutron, I'm just 
not that familiar with it myself.

-Brian

> There is a list of use-cases, the second one being exactly what I
> described above:
> 
>> [...]
>>
>> Use cases:
>>
>> We need to allocate addresses to ports from an external or
>> providernetwork, and route them via Neutron routers.
>>
>> We wish to allocate whole prefixes to devices (and their specific
>> neutron port) on demand.  A port must be authorised via the API for a
>> prefix. The prefix could be issued to the device via PD (since the
>> device has to discover the prefix it's been given).
>>
>> [...]
> 
> But to my understanding the spec used to implement the current IPv6
> networking and also prefix delegation mechanism,
> also mentioned this use case as an "limitation and future enhancement" -
> see:
> https://specs.openstack.org/openstack/neutron-specs/specs/liberty/ipv6-prefix-delegation.html#limitations-and-future-enhancements
> 
> 
> 
> Does anyone have any thoughts on this matter of dedicating a prefix and
> and routingits  traffic to a VM, but not just a subnet?
> 
> 
> 
> Regards
> 
> 
> Christian
> 
> 
> 
>