diff options
-rw-r--r-- | docs/gapanalysis/gap-analysis-openstack-kilo.rst | 308 |
1 files changed, 155 insertions, 153 deletions
diff --git a/docs/gapanalysis/gap-analysis-openstack-kilo.rst b/docs/gapanalysis/gap-analysis-openstack-kilo.rst index 355efc7..dea09ba 100644 --- a/docs/gapanalysis/gap-analysis-openstack-kilo.rst +++ b/docs/gapanalysis/gap-analysis-openstack-kilo.rst @@ -7,157 +7,159 @@ OpenStack Neutron in Kilo Official Release. The following table lists the use ca requirements of VIM-agnostic IPv6 functionality, including infrastructure layer and VNF (VM) layer, and its gap analysis with OpenStack Neutron in Kilo Official Release. -+-------------------------------------+-------------------------+---------------------------------+ -|Use Case / Requirement |Supported in Kilo Neutron|Notes | -+=====================================+=========================+=================================+ -|All topologies work in a multi-tenant|Yes |The IPv6 design is following the | -|environment | |Neutron tenant networks model; | -| | |dnsmasq is being used inside DHCP| -| | |network namespaces, while radvd | -| | |is being used inside Neutron | -| | |routers namespaces to provide | -| | |full isolation between tenants. | -| | |Tenant isolation can be based on | -| | |VLANs, GRE, or VXLAN | -| | |encapsulation. In case of | -| | |overlays, the transport network | -| | |(and VTEPs) must be IPv4 based as| -| | |of today. | -+-------------------------------------+-------------------------+---------------------------------+ -|IPv6 VM to VM only |Yes |It is possible to assign IPv6- | -| | |only addresses to VMs. Both | -| | |switching (within VMs on the same| -| | |tenant network) as well as east/ | -| | |west routing (between different | -| | |networks of the same tenant) are | -| | |supported. | -+-------------------------------------+-------------------------+---------------------------------+ -|IPv6 external L2 VLAN directly |Yes |IPv6 provider network model; RA | -|attached to a VM | |messages from upstream (external)| -| | |router are forwarded into the VMs| -+-------------------------------------+-------------------------+---------------------------------+ -|IPv6 subnet routed via L3 agent to an| |Configuration is enhanced in Kilo| -|external IPv6 network | |to allow easier setup of the | -| |1. Yes |upstream gateway, without the | -|1. Both VLAN and overlay (e.g. GRE, | |user forced to create an IPv6 | -| VXLAN) subnet attached to VMs; | |subnet for the external network. | -|2. Must be able to support multiple |2. Yes | | -| L3 agents for a given external | | | -| network to support scaling | | | -| (neutron scheduler to assign | | | -| vRouters to the L3 agents) | | | -+-------------------------------------+-------------------------+---------------------------------+ -|Ability for a NIC to support both | |Dual-stack is supported in | -|IPv4 and IPv6 (dual stack) address. | |Neutron with the addition of | -| | |``Multiple IPv6 Prefixes`` | -|1. VM with a single interface |1. Yes |Blueprint | -| associated with a network, which | | | -| is then associated with two | | | -| subnets | | | -|2. VM with two different interfaces |2. Yes | | -| associated with two different | | | -| networks and two different subnets| | | -+-------------------------------------+-------------------------+---------------------------------+ -|Support IPv6 Address assignment modes|1. Yes | | -| | | | -|1. SLAAC |2. Yes | | -|2. DHCPv6 Stateless | | | -|3. DHCPv6 Stateful |3. Yes | | -+-------------------------------------+-------------------------+---------------------------------+ -|Ability to create a port on an IPv6 |Yes | | -|DHCPv6 Stateful subnet and assign a | | | -|specific IPv6 address to the port and| | | -|have it taken out of the DHCP address| | | -|pool. | | | -+-------------------------------------+-------------------------+---------------------------------+ -|Ability to create a port with |**No** |The following patch disables this| -|fixed_ip for a SLAAC/DHCPv6-Stateless| |operation: https://review.opensta| -|Subnet. | |ck.org/#/c/129144/ | -+-------------------------------------+-------------------------+---------------------------------+ -|Support for private IPv6 to external |**Rejected** |Blueprint proposed in upstream | -|IPv6 floating IP; Ability to specify | |and got rejected. General | -|floating IPs via Neutron API (REST | |expectation is to avoid NAT with | -|and CLI) as well as via Horizon, | |IPv6 by assigning GUA to tenant | -|including combination of IPv6/IPv4 | |VMs. See https://review.openstack| -|and IPv4/IPv6 floating IPs if | |.org/#/c/139731/ for discussion. | -|implemented. | | | -+-------------------------------------+-------------------------+---------------------------------+ -|Provide IPv6/IPv4 feature parity in |**To-Do** |The L3 configuration should be | -|support for pass-through capabilities| |transparent for the SR-IOV | -|(e.g., SR-IOV). | |implementation. SR-IOV networking| -| | |support introduced in Juno based | -| | |on the ``sriovnicswitch`` ML2 | -| | |driver is expected to work with | -| | |IPv4 and IPv6 enabled VMs. We | -| | |need to verify if it works or not| -+-------------------------------------+-------------------------+---------------------------------+ -|Additional IPv6 extensions, for |**No** |It does not appear to be | -|example: IPSEC, IPv6 Anycast, | |considered yet (lack of clear | -|Multicast | |requirements) | -+-------------------------------------+-------------------------+---------------------------------+ -|VM access to the meta-data server to |**No** |This is currently not supported. | -|obtain user data, SSH keys, etc. | |Config-drive or dual-stack IPv4/ | -|using cloud-init with IPv6 only | |IPv6 can be used as a workaround | -|interfaces. | |(so that the IPv4 network is used| -| | |to obtain connectivity with the | -| | |metadata service) | -+-------------------------------------+-------------------------+---------------------------------+ -|Full support for IPv6 matching (i.e.,|Yes | | -|IPv6, ICMPv6, TCP, UDP) in security | | | -|groups. Ability to control and manage| | | -|all IPv6 security group capabilities | | | -|via Neutron/Nova API (REST and CLI) | | | -|as well as via Horizon. | | | -+-------------------------------------+-------------------------+---------------------------------+ -|During network/subnet/router create, |Yes |Two new Subnet attributes were | -|there should be an option to allow | |introduced to control IPv6 | -|user to specify the type of address | |address assignment options: | -|management they would like. This | | | -|includes all options including those | |* ``ipv6-ra-mode``: to determine | -|low priority if implemented (e.g., | | who sends Router Advertisements| -|toggle on/off router and address | | | -|prefix advertisements); It must be | |* ``ipv6-address-mode``: to | -|supported via Neutron API (REST and | | determine how VM obtains IPv6 | -|CLI) as well as via Horizon | | address, default gateway, and/ | -| | | or optional information. | -+-------------------------------------+-------------------------+---------------------------------+ -|Security groups anti-spoofing: |Yes | | -|Prevent VM from using a source | | | -|IPv6/MAC address which is not | | | -|assigned to the VM | | | -+-------------------------------------+-------------------------+---------------------------------+ -|Protect tenant and provider network |Yes |When using a tenant network, | -|from rough RAs | |Neutron is going to automatically| -| | |handle the filter rules to allow | -| | |connectivity of RAs to the VMs | -| | |only from the Neutron router | -| | |port; with provider networks, | -| | |users are required to specify the| -| | |LLA of the upstream router during| -| | |the subnet creation, or otherwise| -| | |manually edit the security-groups| -| | |rules to allow incoming traffic | -| | |from this specific address. | -+-------------------------------------+-------------------------+---------------------------------+ -|Support the ability to assign |Yes | | -|multiple IPv6 addresses to an | | | -|interface; both for Neutron router | | | -|interfaces and VM interfaces. | | | -+-------------------------------------+-------------------------+---------------------------------+ -|Ability for a VM to support a mix of |Yes | | -|multiple IPv4 and IPv6 networks, | | | -|including multiples of the same type.| | | -+-------------------------------------+-------------------------+---------------------------------+ -|Support for IPv6 Prefix Delegation. |**Roadmap** |Some partial support is available| -| | |in Liberty release | -+-------------------------------------+-------------------------+---------------------------------+ -|Distributed Virtual Routing (DVR) |**No** |Blueprint proposed upstream, | -|support for IPv6 | |pending discussion | -+-------------------------------------+-------------------------+---------------------------------+ -|IPv6 First-Hop Security, IPv6 ND |**Roadmap** |Supported in Liberty release | -|spoofing. | | | -+-------------------------------------+-------------------------+---------------------------------+ -|IPv6 support in Neutron Layer3 High |Yes | | -|Availability (keepalived+VRRP). | | | -+-------------------------------------+-------------------------+---------------------------------+ +.. table:: + :class: longtable + +-------------------------------------+-------------------------+---------------------------------+ + |Use Case / Requirement |Supported in Neutron |Notes | + +=====================================+=========================+=================================+ + |All topologies work in a multi-tenant|Yes |The IPv6 design is following the | + |environment | |Neutron tenant networks model; | + | | |dnsmasq is being used inside DHCP| + | | |network namespaces, while radvd | + | | |is being used inside Neutron | + | | |routers namespaces to provide | + | | |full isolation between tenants. | + | | |Tenant isolation can be based on | + | | |VLANs, GRE, or VXLAN | + | | |encapsulation. In case of | + | | |overlays, the transport network | + | | |(and VTEPs) must be IPv4 based as| + | | |of today. | + +-------------------------------------+-------------------------+---------------------------------+ + |IPv6 VM to VM only |Yes |It is possible to assign IPv6- | + | | |only addresses to VMs. Both | + | | |switching (within VMs on the same| + | | |tenant network) as well as east/ | + | | |west routing (between different | + | | |networks of the same tenant) are | + | | |supported. | + +-------------------------------------+-------------------------+---------------------------------+ + |IPv6 external L2 VLAN directly |Yes |IPv6 provider network model; RA | + |attached to a VM | |messages from upstream (external)| + | | |router are forwarded into the VMs| + +-------------------------------------+-------------------------+---------------------------------+ + |IPv6 subnet routed via L3 agent to an| |Configuration is enhanced in Kilo| + |external IPv6 network | |to allow easier setup of the | + | |1. Yes |upstream gateway, without the | + |1. Both VLAN and overlay (e.g. GRE, | |user forced to create an IPv6 | + | VXLAN) subnet attached to VMs; | |subnet for the external network. | + |2. Must be able to support multiple |2. Yes | | + | L3 agents for a given external | | | + | network to support scaling | | | + | (neutron scheduler to assign | | | + | vRouters to the L3 agents) | | | + +-------------------------------------+-------------------------+---------------------------------+ + |Ability for a NIC to support both | |Dual-stack is supported in | + |IPv4 and IPv6 (dual stack) address. | |Neutron with the addition of | + | | |``Multiple IPv6 Prefixes`` | + |1. VM with a single interface |1. Yes |Blueprint | + | associated with a network, which | | | + | is then associated with two | | | + | subnets | | | + |2. VM with two different interfaces |2. Yes | | + | associated with two different | | | + | networks and two different subnets| | | + +-------------------------------------+-------------------------+---------------------------------+ + |Support IPv6 Address assignment modes|1. Yes | | + | | | | + |1. SLAAC |2. Yes | | + |2. DHCPv6 Stateless | | | + |3. DHCPv6 Stateful |3. Yes | | + +-------------------------------------+-------------------------+---------------------------------+ + |Ability to create a port on an IPv6 |Yes | | + |DHCPv6 Stateful subnet and assign a | | | + |specific IPv6 address to the port and| | | + |have it taken out of the DHCP address| | | + |pool. | | | + +-------------------------------------+-------------------------+---------------------------------+ + |Ability to create a port with |**No** |The following patch disables this| + |fixed_ip for a SLAAC/DHCPv6-Stateless| |operation: https://review.opensta| + |Subnet. | |ck.org/#/c/129144/ | + +-------------------------------------+-------------------------+---------------------------------+ + |Support for private IPv6 to external |**Rejected** |Blueprint proposed in upstream | + |IPv6 floating IP; Ability to specify | |and got rejected. General | + |floating IPs via Neutron API (REST | |expectation is to avoid NAT with | + |and CLI) as well as via Horizon, | |IPv6 by assigning GUA to tenant | + |including combination of IPv6/IPv4 | |VMs. See https://review.openstack| + |and IPv4/IPv6 floating IPs if | |.org/#/c/139731/ for discussion. | + |implemented. | | | + +-------------------------------------+-------------------------+---------------------------------+ + |Provide IPv6/IPv4 feature parity in |**To-Do** |The L3 configuration should be | + |support for pass-through capabilities| |transparent for the SR-IOV | + |(e.g., SR-IOV). | |implementation. SR-IOV networking| + | | |support introduced in Juno based | + | | |on the ``sriovnicswitch`` ML2 | + | | |driver is expected to work with | + | | |IPv4 and IPv6 enabled VMs. We | + | | |need to verify if it works or not| + +-------------------------------------+-------------------------+---------------------------------+ + |Additional IPv6 extensions, for |**No** |It does not appear to be | + |example: IPSEC, IPv6 Anycast, | |considered yet (lack of clear | + |Multicast | |requirements) | + +-------------------------------------+-------------------------+---------------------------------+ + |VM access to the meta-data server to |**No** |This is currently not supported. | + |obtain user data, SSH keys, etc. | |Config-drive or dual-stack IPv4/ | + |using cloud-init with IPv6 only | |IPv6 can be used as a workaround | + |interfaces. | |(so that the IPv4 network is used| + | | |to obtain connectivity with the | + | | |metadata service) | + +-------------------------------------+-------------------------+---------------------------------+ + |Full support for IPv6 matching (i.e.,|Yes | | + |IPv6, ICMPv6, TCP, UDP) in security | | | + |groups. Ability to control and manage| | | + |all IPv6 security group capabilities | | | + |via Neutron/Nova API (REST and CLI) | | | + |as well as via Horizon. | | | + +-------------------------------------+-------------------------+---------------------------------+ + |During network/subnet/router create, |Yes |Two new Subnet attributes were | + |there should be an option to allow | |introduced to control IPv6 | + |user to specify the type of address | |address assignment options: | + |management they would like. This | | | + |includes all options including those | |* ``ipv6-ra-mode``: to determine | + |low priority if implemented (e.g., | | who sends Router Advertisements| + |toggle on/off router and address | | | + |prefix advertisements); It must be | |* ``ipv6-address-mode``: to | + |supported via Neutron API (REST and | | determine how VM obtains IPv6 | + |CLI) as well as via Horizon | | address, default gateway, and/ | + | | | or optional information. | + +-------------------------------------+-------------------------+---------------------------------+ + |Security groups anti-spoofing: |Yes | | + |Prevent VM from using a source | | | + |IPv6/MAC address which is not | | | + |assigned to the VM | | | + +-------------------------------------+-------------------------+---------------------------------+ + |Protect tenant and provider network |Yes |When using a tenant network, | + |from rough RAs | |Neutron is going to automatically| + | | |handle the filter rules to allow | + | | |connectivity of RAs to the VMs | + | | |only from the Neutron router | + | | |port; with provider networks, | + | | |users are required to specify the| + | | |LLA of the upstream router during| + | | |the subnet creation, or otherwise| + | | |manually edit the security-groups| + | | |rules to allow incoming traffic | + | | |from this specific address. | + +-------------------------------------+-------------------------+---------------------------------+ + |Support the ability to assign |Yes | | + |multiple IPv6 addresses to an | | | + |interface; both for Neutron router | | | + |interfaces and VM interfaces. | | | + +-------------------------------------+-------------------------+---------------------------------+ + |Ability for a VM to support a mix of |Yes | | + |multiple IPv4 and IPv6 networks, | | | + |including multiples of the same type.| | | + +-------------------------------------+-------------------------+---------------------------------+ + |Support for IPv6 Prefix Delegation. |**Roadmap** |Some partial support is available| + | | |in Liberty release | + +-------------------------------------+-------------------------+---------------------------------+ + |Distributed Virtual Routing (DVR) |**No** |Blueprint proposed upstream, | + |support for IPv6 | |pending discussion | + +-------------------------------------+-------------------------+---------------------------------+ + |IPv6 First-Hop Security, IPv6 ND |**Roadmap** |Supported in Liberty release | + |spoofing. | | | + +-------------------------------------+-------------------------+---------------------------------+ + |IPv6 support in Neutron Layer3 High |Yes | | + |Availability (keepalived+VRRP). | | | + +-------------------------------------+-------------------------+---------------------------------+ |