diff options
-rw-r--r-- | docs/gapanalysis/gap-analysis-openstack-kilo.rst | 292 |
1 files changed, 153 insertions, 139 deletions
diff --git a/docs/gapanalysis/gap-analysis-openstack-kilo.rst b/docs/gapanalysis/gap-analysis-openstack-kilo.rst index 8087a8a..39fc391 100644 --- a/docs/gapanalysis/gap-analysis-openstack-kilo.rst +++ b/docs/gapanalysis/gap-analysis-openstack-kilo.rst @@ -7,143 +7,157 @@ OpenStack Neutron in Kilo Official Release. The following table lists the use ca requirements of VIM-agnostic IPv6 functionality, including infrastructure layer and VNF (VM) layer, and its gap analysis with OpenStack Neutron in Kilo Official Release. -+-------------------------------------+-------------------------+-----------------------------------------------+ -|Use Case / Requirement |Supported in Kilo Neutron|Notes | -+=====================================+=========================+===============================================+ -|All topologies work in a multi-tenant|Yes |The IPv6 design is following the Neutron tenant| -|environment | |networks model; dnsmasq is being used inside | -| | |DHCP network namespaces, while radvd is being | -| | |used inside Neutron routers namespaces to | -| | |provide full isolation between tenants. Tenant | -| | |isolation can be based on VLANs, GRE, or VXLAN | -| | |encapsulation. In case of overlays, the | -| | |transport network (and VTEPs) must be IPv4 | -| | |based as of today. | -+-------------------------------------+-------------------------+-----------------------------------------------+ -|IPv6 VM to VM only |Yes |It is possible to assign IPv6-only addresses to| -| | |VMs. Both switching (within VMs on the same | -| | |tenant network) as well as east/west routing | -| | |(between different networks of the same tenant)| -| | |are supported. | -+-------------------------------------+-------------------------+-----------------------------------------------+ -|IPv6 external L2 VLAN directly |Yes |IPv6 provider network model; RA messages from | -|attached to a VM | |upstream (external) router are forwarded into | -| | |the VMs | -+-------------------------------------+-------------------------+-----------------------------------------------+ -|IPv6 subnet routed via L3 agent to an| |Configuration is enhanced in Kilo to allow | -|external IPv6 network | |easier setup of the upstream gateway, without | -| |1. Yes |the user forced to create an IPv6 subnet for | -|1. Both VLAN and overlay (e.g. GRE, | |the external network. | -| VXLAN) subnet attached to VMs; | | | -|2. Must be able to support multiple |2. Yes | | -| L3 agents for a given external | | | -| network to support scaling | | | -| (neutron scheduler to assign | | | -| vRouters to the L3 agents) | | | -+-------------------------------------+-------------------------+-----------------------------------------------+ -|Ability for a NIC to support both | |Dual-stack is supported in Neutron with the | -|IPv4 and IPv6 (dual stack) address. | |addition of ``Multiple IPv6 Prefixes`` | -| | |Blueprint | -|1. VM with a single interface |1. Yes | | -| associated with a network, which | | | -| is then associated with two | | | -| subnets | | | -|2. VM with two different interfaces |2. Yes | | -| associated with two different | | | -| networks and two different subnets| | | -+-------------------------------------+-------------------------+-----------------------------------------------+ -|Support IPv6 Address assignment modes|1. Yes | | -| | | | -|1. SLAAC |2. Yes | | -|2. DHCPv6 Stateless | | | -|3. DHCPv6 Stateful |3. Yes | | -+-------------------------------------+-------------------------+-----------------------------------------------+ -|Ability to create a port on an IPv6 |Yes | | -|DHCPv6 Stateful subnet and assign a | | | -|specific IPv6 address to the port and| | | -|have it taken out of the DHCP address| | | -|pool. | | | -+-------------------------------------+-------------------------+-----------------------------------------------+ -|Ability to create a port with |**No** |The following patch disables this operation: | -|fixed_ip for a SLAAC/DHCPv6-Stateless| |https://review.openstack.org/#/c/129144/ | -|Subnet. | | | -+-------------------------------------+-------------------------+-----------------------------------------------+ -|Support for private IPv6 to external |**Rejected** |Blueprint proposed in upstream and got | -|IPv6 floating IP; Ability to specify | |rejected. General expectation is to avoid NAT | -|floating IPs via Neutron API (REST | |with IPv6 by assigning GUA to tenant VMs. See | -|and CLI) as well as via Horizon, | |https://review.openstack.org/#/c/139731/ | -|including combination of IPv6/IPv4 | |for discussion. | -|and IPv4/IPv6 floating IPs if | | | -|implemented. | | | -+-------------------------------------+-------------------------+-----------------------------------------------+ -|Provide IPv6/IPv4 feature parity in |**To-Do** |The L3 configuration should be transparent for | -|support for pass-through capabilities| |the SR-IOV implementation. SR-IOV networking | -|(e.g., SR-IOV). | |support introduced in Juno based on the | -| | |``sriovnicswitch`` ML2 driver is expected to | -| | |work with IPv4 and IPv6 enabled VMs. We need to| -| | |verify if it works or not | -+-------------------------------------+-------------------------+-----------------------------------------------+ -|Additional IPv6 extensions, for |**No** |It does not appear to be considered yet (lack | -|example: IPSEC, IPv6 Anycast, | |of clear requirements) | -|Multicast | | | -+-------------------------------------+-------------------------+-----------------------------------------------+ -|VM access to the meta-data server to |**No** |This is currently not supported. Config-drive | -|obtain user data, SSH keys, etc. | |or dual-stack IPv4 / IPv6 can be used as a | -|using cloud-init with IPv6 only | |workaround (so that the IPv4 network is used to| -|interfaces. | |obtain connectivity with the metadata service) | -+-------------------------------------+-------------------------+-----------------------------------------------+ -|Full support for IPv6 matching (i.e.,|Yes | | -|IPv6, ICMPv6, TCP, UDP) in security | | | -|groups. Ability to control and manage| | | -|all IPv6 security group capabilities | | | -|via Neutron/Nova API (REST and CLI) | | | -|as well as via Horizon. | | | -+-------------------------------------+-------------------------+-----------------------------------------------+ -|During network/subnet/router create, |Yes |Two new Subnet attributes were introduced to | -|there should be an option to allow | |control IPv6 address assignment options: | -|user to specify the type of address | | | -|management they would like. This | | | -|includes all options including those | |* ``ipv6-ra-mode``: to determine who sends | -|low priority if implemented (e.g., | | Router Advertisements; | -|toggle on/off router and address | | | -|prefix advertisements); It must be | |* ``ipv6-address-mode``: to determine how VM | -|supported via Neutron API (REST and | | obtains IPv6 address, default gateway, and/or| -|CLI) as well as via Horizon | | optional information. | -+-------------------------------------+-------------------------+-----------------------------------------------+ -|Security groups anti-spoofing: |Yes | | -|Prevent VM from using a source | | | -|IPv6/MAC address which is not | | | -|assigned to the VM | | | -+-------------------------------------+-------------------------+-----------------------------------------------+ -|Protect tenant and provider network |Yes |When using a tenant network, Neutron is going | -|from rough RAs | |to automatically handle the filter rules to | -| | |allow connectivity of RAs to the VMs only from | -| | |the Neutron router port; with provider | -| | |networks, users are required to specify the LLA| -| | |of the upstream router during the subnet | -| | |creation, or otherwise manually edit the | -| | |security-groups rules to allow incoming traffic| -| | |from this specific address. | -+-------------------------------------+-------------------------+-----------------------------------------------+ -|Support the ability to assign |Yes | | -|multiple IPv6 addresses to an | | | -|interface; both for Neutron router | | | -|interfaces and VM interfaces. | | | -+-------------------------------------+-------------------------+-----------------------------------------------+ -|Ability for a VM to support a mix of |Yes | | -|multiple IPv4 and IPv6 networks, | | | -|including multiples of the same type.| | | -+-------------------------------------+-------------------------+-----------------------------------------------+ -|Support for IPv6 Prefix Delegation. |**Roadmap** |Some partial support is available in Liberty | -| | |release | -+-------------------------------------+-------------------------+-----------------------------------------------+ -|Distributed Virtual Routing (DVR) |**No** |Blueprint proposed upstream, pending discussion| -|support for IPv6 | | | -+-------------------------------------+-------------------------+-----------------------------------------------+ -|IPv6 First-Hop Security, IPv6 ND |**Roadmap** |Supported in Liberty release | -|spoofing. | | | -+-------------------------------------+-------------------------+-----------------------------------------------+ -|IPv6 support in Neutron Layer3 High |Yes | | -|Availability (keepalived+VRRP). | | | -+-------------------------------------+-------------------------+-----------------------------------------------+ ++-------------------------------------+-------------------------+---------------------------------+ +|Use Case / Requirement |Supported in Kilo Neutron|Notes | ++=====================================+=========================+=================================+ +|All topologies work in a multi-tenant|Yes |The IPv6 design is following the | +|environment | |Neutron tenant networks model; | +| | |dnsmasq is being used inside DHCP| +| | |network namespaces, while radvd | +| | |is being used inside Neutron | +| | |routers namespaces to provide | +| | |full isolation between tenants. | +| | |Tenant isolation can be based on | +| | |VLANs, GRE, or VXLAN | +| | |encapsulation. In case of | +| | |overlays, the transport network | +| | |(and VTEPs) must be IPv4 based as| +| | |of today. | ++-------------------------------------+-------------------------+---------------------------------+ +|IPv6 VM to VM only |Yes |It is possible to assign IPv6- | +| | |only addresses to VMs. Both | +| | |switching (within VMs on the same| +| | |tenant network) as well as east /| +| | |west routing (between different | +| | |networks of the same tenant) are | +| | |supported. | ++-------------------------------------+-------------------------+---------------------------------+ +|IPv6 external L2 VLAN directly |Yes |IPv6 provider network model; RA | +|attached to a VM | |messages from upstream (external)| +| | |router are forwarded into the VMs| ++-------------------------------------+-------------------------+---------------------------------+ +|IPv6 subnet routed via L3 agent to an| |Configuration is enhanced in Kilo| +|external IPv6 network | |to allow easier setup of the | +| |1. Yes |upstream gateway, without the | +|1. Both VLAN and overlay (e.g. GRE, | |user forced to create an IPv6 | +| VXLAN) subnet attached to VMs; | |subnet for the external network. | +|2. Must be able to support multiple |2. Yes | | +| L3 agents for a given external | | | +| network to support scaling | | | +| (neutron scheduler to assign | | | +| vRouters to the L3 agents) | | | ++-------------------------------------+-------------------------+---------------------------------+ +|Ability for a NIC to support both | |Dual-stack is supported in | +|IPv4 and IPv6 (dual stack) address. | |Neutron with the addition of | +| | |``Multiple IPv6 Prefixes`` | +|1. VM with a single interface |1. Yes |Blueprint | +| associated with a network, which | | | +| is then associated with two | | | +| subnets | | | +|2. VM with two different interfaces |2. Yes | | +| associated with two different | | | +| networks and two different subnets| | | ++-------------------------------------+-------------------------+---------------------------------+ +|Support IPv6 Address assignment modes|1. Yes | | +| | | | +|1. SLAAC |2. Yes | | +|2. DHCPv6 Stateless | | | +|3. DHCPv6 Stateful |3. Yes | | ++-------------------------------------+-------------------------+---------------------------------+ +|Ability to create a port on an IPv6 |Yes | | +|DHCPv6 Stateful subnet and assign a | | | +|specific IPv6 address to the port and| | | +|have it taken out of the DHCP address| | | +|pool. | | | ++-------------------------------------+-------------------------+---------------------------------+ +|Ability to create a port with |**No** |The following patch disables this| +|fixed_ip for a SLAAC/DHCPv6-Stateless| |operation: https://review.opensta| +|Subnet. | |ck.org/#/c/129144/ | ++-------------------------------------+-------------------------+---------------------------------+ +|Support for private IPv6 to external |**Rejected** |Blueprint proposed in upstream | +|IPv6 floating IP; Ability to specify | |and got rejected. General | +|floating IPs via Neutron API (REST | |expectation is to avoid NAT with | +|and CLI) as well as via Horizon, | |IPv6 by assigning GUA to tenant | +|including combination of IPv6/IPv4 | |VMs. See https://review.openstack| +|and IPv4/IPv6 floating IPs if | |.org/#/c/139731/ for discussion. | +|implemented. | | | ++-------------------------------------+-------------------------+---------------------------------+ +|Provide IPv6/IPv4 feature parity in |**To-Do** |The L3 configuration should be | +|support for pass-through capabilities| |transparent for the SR-IOV | +|(e.g., SR-IOV). | |implementation. SR-IOV networking| +| | |support introduced in Juno based | +| | |on the ``sriovnicswitch`` ML2 | +| | |driver is expected to work with | +| | |IPv4 and IPv6 enabled VMs. We | +| | |need to verify if it works or not| ++-------------------------------------+-------------------------+---------------------------------+ +|Additional IPv6 extensions, for |**No** |It does not appear to be | +|example: IPSEC, IPv6 Anycast, | |considered yet (lack of clear | +|Multicast | |requirements) | ++-------------------------------------+-------------------------+---------------------------------+ +|VM access to the meta-data server to |**No** |This is currently not supported. | +|obtain user data, SSH keys, etc. | |Config-drive or dual-stack IPv4 /| +|using cloud-init with IPv6 only | | IPv6 can be used as a workaround| +|interfaces. | |(so that the IPv4 network is used| +| | |to obtain connectivity with the | +| | |metadata service) | ++-------------------------------------+-------------------------+---------------------------------+ +|Full support for IPv6 matching (i.e.,|Yes | | +|IPv6, ICMPv6, TCP, UDP) in security | | | +|groups. Ability to control and manage| | | +|all IPv6 security group capabilities | | | +|via Neutron/Nova API (REST and CLI) | | | +|as well as via Horizon. | | | ++-------------------------------------+-------------------------+---------------------------------+ +|During network/subnet/router create, |Yes |Two new Subnet attributes were | +|there should be an option to allow | |introduced to control IPv6 | +|user to specify the type of address | |address assignment options: | +|management they would like. This | | | +|includes all options including those | |* ``ipv6-ra-mode``: to determine | +|low priority if implemented (e.g., | | who sends Router Advertisements| +|toggle on/off router and address | | | +|prefix advertisements); It must be | |* ``ipv6-address-mode``: to | +|supported via Neutron API (REST and | | determine how VM obtains IPv6 | +|CLI) as well as via Horizon | | address, default gateway, and/ | +| | | or optional information. | ++-------------------------------------+-------------------------+---------------------------------+ +|Security groups anti-spoofing: |Yes | | +|Prevent VM from using a source | | | +|IPv6/MAC address which is not | | | +|assigned to the VM | | | ++-------------------------------------+-------------------------+---------------------------------+ +|Protect tenant and provider network |Yes |When using a tenant network, | +|from rough RAs | |Neutron is going to automatically| +| | |handle the filter rules to allow | +| | |connectivity of RAs to the VMs | +| | |only from the Neutron router | +| | |port; with provider networks, | +| | |users are required to specify the| +| | |LLA of the upstream router during| +| | |the subnet creation, or otherwise| +| | |manually edit the security-groups| +| | |rules to allow incoming traffic | +| | |from this specific address. | ++-------------------------------------+-------------------------+---------------------------------+ +|Support the ability to assign |Yes | | +|multiple IPv6 addresses to an | | | +|interface; both for Neutron router | | | +|interfaces and VM interfaces. | | | ++-------------------------------------+-------------------------+---------------------------------+ +|Ability for a VM to support a mix of |Yes | | +|multiple IPv4 and IPv6 networks, | | | +|including multiples of the same type.| | | ++-------------------------------------+-------------------------+---------------------------------+ +|Support for IPv6 Prefix Delegation. |**Roadmap** |Some partial support is available| +| | |in Liberty release | ++-------------------------------------+-------------------------+---------------------------------+ +|Distributed Virtual Routing (DVR) |**No** |Blueprint proposed upstream, | +|support for IPv6 | |pending discussion | ++-------------------------------------+-------------------------+---------------------------------+ +|IPv6 First-Hop Security, IPv6 ND |**Roadmap** |Supported in Liberty release | +|spoofing. | | | ++-------------------------------------+-------------------------+---------------------------------+ +|IPv6 support in Neutron Layer3 High |Yes | | +|Availability (keepalived+VRRP). | | | ++-------------------------------------+-------------------------+---------------------------------+ |