1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
=====================================
IPv6 Gap Analysis with OpenStack Kilo
=====================================
This section provides users with IPv6 gap analysis regarding feature requirement with
OpenStack Neutron in Kilo Official Release. The following table lists the use cases / feature
requirements of VIM-agnostic IPv6 functionality, including infrastructure layer and VNF
(VM) layer, and its gap analysis with OpenStack Neutron in Kilo Official Release.
.. table::
:class: longtable
+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+
|Use Case / Requirement |Supported in Kilo Neutron|Notes |
+===========================================================+=========================+====================================================================+
|All topologies work in a multi-tenant environment |Yes |The IPv6 design is following the Neutron tenant networks model; |
| | |dnsmasq is being used inside DHCP network namespaces, while radvd |
| | |is being used inside Neutron routers namespaces to provide full |
| | |isolation between tenants. Tenant isolation can be based on VLANs, |
| | |GRE, or VXLAN encapsulation. In case of overlays, the transport |
| | |network (and VTEPs) must be IPv4 based as of today. |
+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+
|IPv6 VM to VM only |Yes |It is possible to assign IPv6-only addresses to VMs. Both switching |
| | |(within VMs on the same tenant network) as well as east/west routing|
| | |(between different networks of the same tenant) are supported. |
+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+
|IPv6 external L2 VLAN directly attached to a VM |Yes |IPv6 provider network model; RA messages from upstream (external) |
| | |router are forwarded into the VMs |
+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+
|IPv6 subnet routed via L3 agent to an external IPv6 network| |Configuration is enhanced in Kilo to allow easier setup of the |
| |1. Yes |upstream gateway, without the user forced to create an IPv6 subnet |
|1. Both VLAN and overlay (e.g. GRE, VXLAN) subnet attached | |for the external network. |
| to VMs; | | |
|2. Must be able to support multiple L3 agents for a given |2. Yes | |
| external network to support scaling (neutron scheduler | | |
| to assign vRouters to the L3 agents) | | |
+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+
|Ability for a NIC to support both IPv4 and IPv6 (dual | |Dual-stack is supported in Neutron with the addition of |
|stack) address. | |``Multiple IPv6 Prefixes`` Blueprint |
| | | |
|1. VM with a single interface associated with a network, |1. Yes | |
| which is then associated with two subnets. | | |
|2. VM with two different interfaces associated with two |2. Yes | |
| different networks and two different subnets. | | |
+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+
|Support IPv6 Address assignment modes. |1. Yes | |
| | | |
|1. SLAAC |2. Yes | |
|2. DHCPv6 Stateless | | |
|3. DHCPv6 Stateful |3. Yes | |
+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+
|Ability to create a port on an IPv6 DHCPv6 Stateful subnet |Yes | |
|and assign a specific IPv6 address to the port and have it | | |
|taken out of the DHCP address pool. | | |
+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+
|Ability to create a port with fixed_ip for a |**No** |The following patch disables this operation: |
|SLAAC/DHCPv6-Stateless Subnet. | |https://review.openstack.org/#/c/129144/ |
+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+
|Support for private IPv6 to external IPv6 floating IP; |**Rejected** |Blueprint proposed in upstream and got rejected. General expectation|
|Ability to specify floating IPs via Neutron API (REST and | |is to avoid NAT with IPv6 by assigning GUA to tenant VMs. See |
|CLI) as well as via Horizon, including combination of | |https://review.openstack.org/#/c/139731/ for discussion. |
|IPv6/IPv4 and IPv4/IPv6 floating IPs if implemented. | | |
+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+
|Provide IPv6/IPv4 feature parity in support for |**To-Do** |The L3 configuration should be transparent for the SR-IOV |
|pass-through capabilities (e.g., SR-IOV). | |implementation. SR-IOV networking support introduced in Juno based |
| | |on the ``sriovnicswitch`` ML2 driver is expected to work with IPv4 |
| | |and IPv6 enabled VMs. We need to verify if it works or not |
+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+
|Additional IPv6 extensions, for example: IPSEC, IPv6 |**No** |It does not appear to be considered yet (lack of clear requirements)|
|Anycast, Multicast | | |
+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+
|VM access to the meta-data server to obtain user data, SSH |**No** |This is currently not supported. Config-drive or dual-stack IPv4 / |
|keys, etc. using cloud-init with IPv6 only interfaces. | |IPv6 can be used as a workaround (so that the IPv4 network is used |
| | |to obtain connectivity with the metadata service) |
+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+
|Full support for IPv6 matching (i.e., IPv6, ICMPv6, TCP, |Yes | |
|UDP) in security groups. Ability to control and manage all | | |
|IPv6 security group capabilities via Neutron/Nova API (REST| | |
|and CLI) as well as via Horizon. | | |
+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+
|During network/subnet/router create, there should be an |Yes |Two new Subnet attributes were introduced to control IPv6 address |
|option to allow user to specify the type of address | |assignment options: |
|management they would like. This includes all options | | |
|including those low priority if implemented (e.g., toggle | |* ``ipv6-ra-mode``: to determine who sends Router Advertisements; |
|on/off router and address prefix advertisements); It must | | |
|be supported via Neutron API (REST and CLI) as well as via | |* ``ipv6-address-mode``: to determine how VM obtains IPv6 address, |
|Horizon | | default gateway, and/or optional information. |
+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+
|Security groups anti-spoofing: Prevent VM from using a |Yes | |
|source IPv6/MAC address which is not assigned to the VM | | |
+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+
|Protect tenant and provider network from rough RAs |Yes |When using a tenant network, Neutron is going to automatically |
| | |handle the filter rules to allow connectivity of RAs to the VMs only|
| | |from the Neutron router port; with provider networks, users are |
| | |required to specify the LLA of the upstream router during the subnet|
| | |creation, or otherwise manually edit the security-groups rules to |
| | |allow incoming traffic from this specific address. |
+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+
|Support the ability to assign multiple IPv6 addresses to |Yes | |
|an interface; both for Neutron router interfaces and VM | | |
|interfaces. | | |
+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+
|Ability for a VM to support a mix of multiple IPv4 and IPv6|Yes | |
|networks, including multiples of the same type. | | |
+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+
|Support for IPv6 Prefix Delegation. |**Roadmap** |Some partial support is available in Liberty release |
+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+
|Distributed Virtual Routing (DVR) support for IPv6 |**No** |Blueprint proposed upstream, pending discussion. |
+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+
|IPv6 First-Hop Security, IPv6 ND spoofing. |**Roadmap** |Supported in Liberty release |
+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+
|IPv6 support in Neutron Layer3 High Availability |Yes | |
|(keepalived+VRRP). | | |
+-----------------------------------------------------------+-------------------------+--------------------------------------------------------------------+
|