From 32fe756487f428ee64184cb0d68789bf8737caae Mon Sep 17 00:00:00 2001 From: Bin Hu Date: Fri, 29 Jan 2016 10:54:38 -0800 Subject: JIRA:IPVSIX-29 Change-Id: I1adc2078b15c897589470389b5374826e8db5e4c Signed-off-by: Bin Hu (cherry picked from commit 5375173b0c97059cc3adc71c4b648fe694ba866f) --- docs/gapanalysis/gap-analysis-openstack-kilo.rst | 242 +++++++++++++---------- 1 file changed, 140 insertions(+), 102 deletions(-) (limited to 'docs') diff --git a/docs/gapanalysis/gap-analysis-openstack-kilo.rst b/docs/gapanalysis/gap-analysis-openstack-kilo.rst index 0cc0f05..b3e185b 100644 --- a/docs/gapanalysis/gap-analysis-openstack-kilo.rst +++ b/docs/gapanalysis/gap-analysis-openstack-kilo.rst @@ -7,106 +7,144 @@ OpenStack Neutron in Kilo Official Release. The following table lists the use ca requirements of VIM-agnostic IPv6 functionality, including infrastructure layer and VNF (VM) layer, and its gap analysis with OpenStack Neutron in Kilo Official Release. -+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+ -|Use Case / Requirement |Supported in Kilo Neutron|Notes | -+===========================================================+=========================+====================================================================+ -|All topologies work in a multi-tenant environment |Yes |The IPv6 design is following the Neutron tenant networks model; | -| | |dnsmasq is being used inside DHCP network namespaces, while radvd | -| | |is being used inside Neutron routers namespaces to provide full | -| | |isolation between tenants. Tenant isolation can be based on VLANs, | -| | |GRE, or VXLAN encapsulation. In case of overlays, the transport | -| | |network (and VTEPs) must be IPv4 based as of today. | -+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+ -|IPv6 VM to VM only |Yes |It is possible to assign IPv6-only addresses to VMs. Both switching | -| | |(within VMs on the same tenant network) as well as east/west routing| -| | |(between different networks of the same tenant) are supported. | -+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+ -|IPv6 external L2 VLAN directly attached to a VM |Yes |IPv6 provider network model; RA messages from upstream (external) | -| | |router are forwarded into the VMs | -+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+ -|IPv6 subnet routed via L3 agent to an external IPv6 network| |Configuration is enhanced in Kilo to allow easier setup of the | -| |1. Yes |upstream gateway, without the user forced to create an IPv6 subnet | -|1. Both VLAN and overlay (e.g. GRE, VXLAN) subnet attached | |for the external network. | -| to VMs; | | | -|2. Must be able to support multiple L3 agents for a given |2. Yes | | -| external network to support scaling (neutron scheduler | | | -| to assign vRouters to the L3 agents) | | | -+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+ -|Ability for a NIC to support both IPv4 and IPv6 (dual | |Dual-stack is supported in Neutron with the addition of | -|stack) address. | |``Multiple IPv6 Prefixes`` Blueprint | -| | | | -|1. VM with a single interface associated with a network, |1. Yes | | -| which is then associated with two subnets. | | | -|2. VM with two different interfaces associated with two |2. Yes | | -| different networks and two different subnets. | | | -+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+ -|Support IPv6 Address assignment modes. |1. Yes | | -| | | | -|1. SLAAC |2. Yes | | -|2. DHCPv6 Stateless | | | -|3. DHCPv6 Stateful |3. Yes | | -+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+ -|Ability to create a port on an IPv6 DHCPv6 Stateful subnet |Yes | | -|and assign a specific IPv6 address to the port and have it | | | -|taken out of the DHCP address pool. | | | -+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+ -|Ability to create a port with fixed_ip for a |**No** |The following patch disables this operation: | -|SLAAC/DHCPv6-Stateless Subnet. | |https://review.openstack.org/#/c/129144/ | -+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+ -|Support for private IPv6 to external IPv6 floating IP; |**Rejected** |Blueprint proposed in upstream and got rejected. General expectation| -|Ability to specify floating IPs via Neutron API (REST and | |is to avoid NAT with IPv6 by assigning GUA to tenant VMs. See | -|CLI) as well as via Horizon, including combination of | |https://review.openstack.org/#/c/139731/ for discussion. | -|IPv6/IPv4 and IPv4/IPv6 floating IPs if implemented. | | | -+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+ -|Provide IPv6/IPv4 feature parity in support for |**To-Do** |The L3 configuration should be transparent for the SR-IOV | -|pass-through capabilities (e.g., SR-IOV). | |implementation. SR-IOV networking support introduced in Juno based | -| | |on the ``sriovnicswitch`` ML2 driver is expected to work with IPv4 | -| | |and IPv6 enabled VMs. We need to verify if it works or not | -+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+ -|Additional IPv6 extensions, for example: IPSEC, IPv6 |**No** |It does not appear to be considered yet (lack of clear requirements)| -|Anycast, Multicast | | | -+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+ -|VM access to the meta-data server to obtain user data, SSH |**No** |This is currently not supported. Config-drive or dual-stack IPv4 / | -|keys, etc. using cloud-init with IPv6 only interfaces. | |IPv6 can be used as a workaround (so that the IPv4 network is used | -| | |to obtain connectivity with the metadata service) | -+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+ -|Full support for IPv6 matching (i.e., IPv6, ICMPv6, TCP, |Yes | | -|UDP) in security groups. Ability to control and manage all | | | -|IPv6 security group capabilities via Neutron/Nova API (REST| | | -|and CLI) as well as via Horizon. | | | -+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+ -|During network/subnet/router create, there should be an |Yes |Two new Subnet attributes were introduced to control IPv6 address | -|option to allow user to specify the type of address | |assignment options: | -|management they would like. This includes all options | | | -|including those low priority if implemented (e.g., toggle | |* ``ipv6-ra-mode``: to determine who sends Router Advertisements; | -|on/off router and address prefix advertisements); It must | | | -|be supported via Neutron API (REST and CLI) as well as via | |* ``ipv6-address-mode``: to determine how VM obtains IPv6 address, | -|Horizon | | default gateway, and/or optional information. | -+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+ -|Security groups anti-spoofing: Prevent VM from using a |Yes | | -|source IPv6/MAC address which is not assigned to the VM | | | -+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+ -|Protect tenant and provider network from rough RAs |Yes |When using a tenant network, Neutron is going to automatically | -| | |handle the filter rules to allow connectivity of RAs to the VMs only| -| | |from the Neutron router port; with provider networks, users are | -| | |required to specify the LLA of the upstream router during the subnet| -| | |creation, or otherwise manually edit the security-groups rules to | -| | |allow incoming traffic from this specific address. | -+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+ -|Support the ability to assign multiple IPv6 addresses to |Yes | | -|an interface; both for Neutron router interfaces and VM | | | -|interfaces. | | | -+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+ -|Ability for a VM to support a mix of multiple IPv4 and IPv6|Yes | | -|networks, including multiples of the same type. | | | -+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+ -|Support for IPv6 Prefix Delegation. |**Roadmap** |Some partial support is available in Liberty release | -+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+ -|Distributed Virtual Routing (DVR) support for IPv6 |**No** |Blueprint proposed upstream, pending discussion. | -+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+ -|IPv6 First-Hop Security, IPv6 ND spoofing. |**Roadmap** |Supported in Liberty release | -+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+ -|IPv6 support in Neutron Layer3 High Availability |Yes | | -|(keepalived+VRRP). | | | -+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+ ++-------------------------------------+------------+-----------------------------------------------+ +|Use Case / Requirement |Supported in|Notes | +| |Kilo Neutron| | +|=====================================+============+===============================================+ +|All topologies work in a multi-tenant|Yes |The IPv6 design is following the Neutron tenant| +|environment | |networks model; dnsmasq is being used inside | +| | |DHCP network namespaces, while radvd is being | +| | |used inside Neutron routers namespaces to | +| | |provide full isolation between tenants. Tenant | +| | |isolation can be based on VLANs, GRE, or VXLAN | +| | |encapsulation. In case of overlays, the | +| | |transport network (and VTEPs) must be IPv4 | +| | |based as of today. | ++-------------------------------------+------------+-----------------------------------------------+ +|IPv6 VM to VM only |Yes |It is possible to assign IPv6-only addresses to| +| | |VMs. Both switching (within VMs on the same | +| | |tenant network) as well as east/west routing | +| | |(between different networks of the same tenant)| +| | |are supported. | ++-------------------------------------+------------+-----------------------------------------------+ +|IPv6 external L2 VLAN directly |Yes |IPv6 provider network model; RA messages from | +|attached to a VM | |upstream (external) router are forwarded into | +| | |the VMs | ++-------------------------------------+------------+-----------------------------------------------+ +|IPv6 subnet routed via L3 agent to an| |Configuration is enhanced in Kilo to allow | +|external IPv6 network | |easier setup of the upstream gateway, without | +| |1. Yes |the user forced to create an IPv6 subnet for | +|1. Both VLAN and overlay (e.g. GRE, | |the external network. | +| VXLAN) subnet attached to VMs; | | | +|2. Must be able to support multiple |2. Yes | | +| L3 agents for a given external | | | +| network to support scaling | | | +| (neutron scheduler to assign | | | +| vRouters to the L3 agents) | | | ++-------------------------------------+------------+-----------------------------------------------+ +|Ability for a NIC to support both | |Dual-stack is supported in Neutron with the | +|IPv4 and IPv6 (dual stack) address. | |addition of ``Multiple IPv6 Prefixes`` | +| | |Blueprint | +|1. VM with a single interface |1. Yes | | +| associated with a network, which | | | +| is then associated with two | | | +| subnets | | | +|2. VM with two different interfaces |2. Yes | | +| associated with two different | | | +| networks and two different subnets| | | ++-------------------------------------+------------+-----------------------------------------------+ +|Support IPv6 Address assignment modes|1. Yes | | +| | | | +|1. SLAAC |2. Yes | | +|2. DHCPv6 Stateless | | | +|3. DHCPv6 Stateful |3. Yes | | ++-------------------------------------+------------+-----------------------------------------------+ +|Ability to create a port on an IPv6 |Yes | | +|DHCPv6 Stateful subnet and assign a | | | +|specific IPv6 address to the port and| | | +|have it taken out of the DHCP address| | | +|pool. | | | ++-------------------------------------+------------+-----------------------------------------------+ +|Ability to create a port with |**No** |The following patch disables this operation: | +|fixed_ip for a SLAAC/DHCPv6-Stateless| |https://review.openstack.org/#/c/129144/ | +|Subnet. | | | ++-------------------------------------+------------+-----------------------------------------------+ +|Support for private IPv6 to external |**Rejected**|Blueprint proposed in upstream and got | +|IPv6 floating IP; Ability to specify | |rejected. General expectation is to avoid NAT | +|floating IPs via Neutron API (REST | |with IPv6 by assigning GUA to tenant VMs. See | +|and CLI) as well as via Horizon, | |https://review.openstack.org/#/c/139731/ | +|including combination of IPv6/IPv4 | |for discussion. | +|and IPv4/IPv6 floating IPs if | | | +|implemented. | | | ++-------------------------------------+------------+-----------------------------------------------+ +|Provide IPv6/IPv4 feature parity in |**To-Do** |The L3 configuration should be transparent for | +|support for pass-through capabilities| |the SR-IOV implementation. SR-IOV networking | +|(e.g., SR-IOV). | |support introduced in Juno based on the | +| | |``sriovnicswitch`` ML2 driver is expected to | +| | |work with IPv4 and IPv6 enabled VMs. We need to| +| | |verify if it works or not | ++-------------------------------------+------------+-----------------------------------------------+ +|Additional IPv6 extensions, for |**No** |It does not appear to be considered yet (lack | +|example: IPSEC, IPv6 Anycast, | |of clear requirements) | +|Multicast | | | ++-------------------------------------+------------+-----------------------------------------------+ +|VM access to the meta-data server to |**No** |This is currently not supported. Config-drive | +|obtain user data, SSH keys, etc. | |or dual-stack IPv4 / IPv6 can be used as a | +|using cloud-init with IPv6 only | |workaround (so that the IPv4 network is used to| +|interfaces. | |obtain connectivity with the metadata service) | ++-------------------------------------+------------+-----------------------------------------------+ +|Full support for IPv6 matching (i.e.,|Yes | | +|IPv6, ICMPv6, TCP, UDP) in security | | | +|groups. Ability to control and manage| | | +|all IPv6 security group capabilities | | | +|via Neutron/Nova API (REST and CLI) | | | +|as well as via Horizon. | | | ++-------------------------------------+------------+-----------------------------------------------+ +|During network/subnet/router create, |Yes |Two new Subnet attributes were introduced to | +|there should be an option to allow | |control IPv6 address assignment options: | +|user to specify the type of address | | | +|management they would like. This | | | +|includes all options including those | |* ``ipv6-ra-mode``: to determine who sends | +|low priority if implemented (e.g., | | Router Advertisements; | +|toggle on/off router and address | | | +|prefix advertisements); It must be | |* ``ipv6-address-mode``: to determine how VM | +|supported via Neutron API (REST and | | obtains IPv6 address, default gateway, and/or| +|CLI) as well as via Horizon | | optional information. | ++-------------------------------------+------------+-----------------------------------------------+ +|Security groups anti-spoofing: |Yes | | +|Prevent VM from using a source | | | +|IPv6/MAC address which is not | | | +|assigned to the VM | | | ++-------------------------------------+------------+-----------------------------------------------+ +|Protect tenant and provider network |Yes |When using a tenant network, Neutron is going | +|from rough RAs | |to automatically handle the filter rules to | +| | |allow connectivity of RAs to the VMs only from | +| | |the Neutron router port; with provider | +| | |networks, users are required to specify the LLA| +| | |of the upstream router during the subnet | +| | |creation, or otherwise manually edit the | +| | |security-groups rules to allow incoming traffic| +| | |from this specific address. | ++-------------------------------------+------------+-----------------------------------------------+ +|Support the ability to assign |Yes | | +|multiple IPv6 addresses to an | | | +|interface; both for Neutron router | | | +|interfaces and VM interfaces. | | | ++-------------------------------------+------------+-----------------------------------------------+ +|Ability for a VM to support a mix of |Yes | | +|multiple IPv4 and IPv6 networks, | | | +|including multiples of the same type.| | | ++-------------------------------------+------------+-----------------------------------------------+ +|Support for IPv6 Prefix Delegation. |**Roadmap** |Some partial support is available in Liberty | +| | |release | ++-------------------------------------+------------+-----------------------------------------------+ +|Distributed Virtual Routing (DVR) |**No** |Blueprint proposed upstream, pending discussion| +|support for IPv6 | | | ++-------------------------------------+------------+-----------------------------------------------+ +|IPv6 First-Hop Security, IPv6 ND |**Roadmap** |Supported in Liberty release | +|spoofing. | | | ++-------------------------------------+------------+-----------------------------------------------+ +|IPv6 support in Neutron Layer3 High |Yes | | +|Availability (keepalived+VRRP). | | | ++-------------------------------------+------------+-----------------------------------------------+ -- cgit 1.2.3-korg