summaryrefslogtreecommitdiffstats
path: root/docs/gapanalysis/gap-analysis-openstack-kilo.rst
blob: 39fc391165d363fc652ecc281008211c0aaba300 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
=====================================
IPv6 Gap Analysis with OpenStack Kilo
=====================================

This section provides users with IPv6 gap analysis regarding feature requirement with
OpenStack Neutron in Kilo Official Release. The following table lists the use cases / feature
requirements of VIM-agnostic IPv6 functionality, including infrastructure layer and VNF
(VM) layer, and its gap analysis with OpenStack Neutron in Kilo Official Release.

+-------------------------------------+-------------------------+---------------------------------+
|Use Case / Requirement               |Supported in Kilo Neutron|Notes                            |
+=====================================+=========================+=================================+
|All topologies work in a multi-tenant|Yes                      |The IPv6 design is following the |
|environment                          |                         |Neutron tenant networks model;   |
|                                     |                         |dnsmasq is being used inside DHCP|
|                                     |                         |network namespaces, while radvd  |
|                                     |                         |is being used inside Neutron     |
|                                     |                         |routers namespaces to provide    |
|                                     |                         |full isolation between tenants.  |
|                                     |                         |Tenant isolation can be based on |
|                                     |                         |VLANs, GRE, or VXLAN             |
|                                     |                         |encapsulation. In case of        |
|                                     |                         |overlays, the transport network  |
|                                     |                         |(and VTEPs) must be IPv4 based as|
|                                     |                         |of today.                        |
+-------------------------------------+-------------------------+---------------------------------+
|IPv6 VM to VM only                   |Yes                      |It is possible to assign IPv6-   |
|                                     |                         |only addresses to VMs. Both      |
|                                     |                         |switching (within VMs on the same|
|                                     |                         |tenant network) as well as east /|
|                                     |                         |west routing (between different  |
|                                     |                         |networks of the same tenant) are |
|                                     |                         |supported.                       |
+-------------------------------------+-------------------------+---------------------------------+
|IPv6 external L2 VLAN directly       |Yes                      |IPv6 provider network model; RA  |
|attached to a VM                     |                         |messages from upstream (external)|
|                                     |                         |router are forwarded into the VMs|
+-------------------------------------+-------------------------+---------------------------------+
|IPv6 subnet routed via L3 agent to an|                         |Configuration is enhanced in Kilo|
|external IPv6 network                |                         |to allow easier setup of the     |
|                                     |1. Yes                   |upstream gateway, without the    |
|1. Both VLAN and overlay (e.g. GRE,  |                         |user forced to create an IPv6    |
|   VXLAN) subnet attached to VMs;    |                         |subnet for the external network. |
|2. Must be able to support multiple  |2. Yes                   |                                 |
|   L3 agents for a given external    |                         |                                 |
|   network to support scaling        |                         |                                 |
|   (neutron scheduler to assign      |                         |                                 |
|   vRouters to the L3 agents)        |                         |                                 |
+-------------------------------------+-------------------------+---------------------------------+
|Ability for a NIC to support both    |                         |Dual-stack is supported in       |
|IPv4 and IPv6 (dual stack) address.  |                         |Neutron with the addition of     |
|                                     |                         |``Multiple IPv6 Prefixes``       |
|1. VM with a single interface        |1. Yes                   |Blueprint                        |
|   associated with a network, which  |                         |                                 |
|   is then associated with two       |                         |                                 |
|   subnets                           |                         |                                 |
|2. VM with two different interfaces  |2. Yes                   |                                 |
|   associated with two different     |                         |                                 |
|   networks and two different subnets|                         |                                 |
+-------------------------------------+-------------------------+---------------------------------+
|Support IPv6 Address assignment modes|1. Yes                   |                                 |
|                                     |                         |                                 |
|1. SLAAC                             |2. Yes                   |                                 |
|2. DHCPv6 Stateless                  |                         |                                 |
|3. DHCPv6 Stateful                   |3. Yes                   |                                 |
+-------------------------------------+-------------------------+---------------------------------+
|Ability to create a port on an IPv6  |Yes                      |                                 |
|DHCPv6 Stateful subnet and assign a  |                         |                                 |
|specific IPv6 address to the port and|                         |                                 |
|have it taken out of the DHCP address|                         |                                 |
|pool.                                |                         |                                 |
+-------------------------------------+-------------------------+---------------------------------+
|Ability to create a port with        |**No**                   |The following patch disables this|
|fixed_ip for a SLAAC/DHCPv6-Stateless|                         |operation: https://review.opensta|
|Subnet.                              |                         |ck.org/#/c/129144/               |
+-------------------------------------+-------------------------+---------------------------------+
|Support for private IPv6 to external |**Rejected**             |Blueprint proposed in upstream   |
|IPv6 floating IP; Ability to specify |                         |and got rejected. General        |
|floating IPs via Neutron API (REST   |                         |expectation is to avoid NAT with |
|and CLI) as well as via Horizon,     |                         |IPv6 by assigning GUA to tenant  |
|including combination of IPv6/IPv4   |                         |VMs. See https://review.openstack|
|and IPv4/IPv6 floating IPs if        |                         |.org/#/c/139731/ for discussion. |
|implemented.                         |                         |                                 |
+-------------------------------------+-------------------------+---------------------------------+
|Provide IPv6/IPv4 feature parity in  |**To-Do**                |The L3 configuration should be   |
|support for pass-through capabilities|                         |transparent for the SR-IOV       |
|(e.g., SR-IOV).                      |                         |implementation. SR-IOV networking|
|                                     |                         |support introduced in Juno based |
|                                     |                         |on the ``sriovnicswitch`` ML2    |
|                                     |                         |driver is expected to work with  |
|                                     |                         |IPv4 and IPv6 enabled VMs. We    |
|                                     |                         |need to verify if it works or not|
+-------------------------------------+-------------------------+---------------------------------+
|Additional IPv6 extensions, for      |**No**                   |It does not appear to be         |
|example: IPSEC, IPv6 Anycast,        |                         |considered yet (lack of clear    |
|Multicast                            |                         |requirements)                    |
+-------------------------------------+-------------------------+---------------------------------+
|VM access to the meta-data server to |**No**                   |This is currently not supported. |
|obtain user data, SSH keys, etc.     |                         |Config-drive or dual-stack IPv4 /|
|using cloud-init with IPv6 only      |                         | IPv6 can be used as a workaround|
|interfaces.                          |                         |(so that the IPv4 network is used|
|                                     |                         |to obtain connectivity with the  |
|                                     |                         |metadata service)                |
+-------------------------------------+-------------------------+---------------------------------+
|Full support for IPv6 matching (i.e.,|Yes                      |                                 |
|IPv6, ICMPv6, TCP, UDP) in security  |                         |                                 |
|groups. Ability to control and manage|                         |                                 |
|all IPv6 security group capabilities |                         |                                 |
|via Neutron/Nova API (REST and CLI)  |                         |                                 |
|as well as via Horizon.              |                         |                                 |
+-------------------------------------+-------------------------+---------------------------------+
|During network/subnet/router create, |Yes                      |Two new Subnet attributes were   |
|there should be an option to allow   |                         |introduced to control IPv6       |
|user to specify the type of address  |                         |address assignment options:      |
|management they would like. This     |                         |                                 |
|includes all options including those |                         |* ``ipv6-ra-mode``: to determine |
|low priority if implemented (e.g.,   |                         |  who sends Router Advertisements|
|toggle on/off router and address     |                         |                                 |
|prefix advertisements); It must be   |                         |* ``ipv6-address-mode``: to      |
|supported via Neutron API (REST and  |                         |  determine how VM obtains IPv6  |
|CLI) as well as via Horizon          |                         |  address, default gateway, and/ |
|                                     |                         |  or optional information.       |
+-------------------------------------+-------------------------+---------------------------------+
|Security groups anti-spoofing:       |Yes                      |                                 |
|Prevent VM from using a source       |                         |                                 |
|IPv6/MAC address which is not        |                         |                                 |
|assigned to the VM                   |                         |                                 |
+-------------------------------------+-------------------------+---------------------------------+
|Protect tenant and provider network  |Yes                      |When using a tenant network,     |
|from rough RAs                       |                         |Neutron is going to automatically|
|                                     |                         |handle the filter rules to allow |
|                                     |                         |connectivity of RAs to the VMs   |
|                                     |                         |only from the Neutron router     |
|                                     |                         |port; with provider networks,    |
|                                     |                         |users are required to specify the|
|                                     |                         |LLA of the upstream router during|
|                                     |                         |the subnet creation, or otherwise|
|                                     |                         |manually edit the security-groups|                    
|                                     |                         |rules to allow incoming traffic  |
|                                     |                         |from this specific address.      |
+-------------------------------------+-------------------------+---------------------------------+
|Support the ability to assign        |Yes                      |                                 |
|multiple IPv6 addresses to an        |                         |                                 |
|interface; both for Neutron router   |                         |                                 |
|interfaces and VM interfaces.        |                         |                                 |
+-------------------------------------+-------------------------+---------------------------------+
|Ability for a VM to support a mix of |Yes                      |                                 |
|multiple IPv4 and IPv6 networks,     |                         |                                 |
|including multiples of the same type.|                         |                                 |
+-------------------------------------+-------------------------+---------------------------------+
|Support for IPv6 Prefix Delegation.  |**Roadmap**              |Some partial support is available|
|                                     |                         |in Liberty release               |
+-------------------------------------+-------------------------+---------------------------------+
|Distributed Virtual Routing (DVR)    |**No**                   |Blueprint proposed upstream,     |
|support for IPv6                     |                         |pending discussion               |
+-------------------------------------+-------------------------+---------------------------------+
|IPv6 First-Hop Security, IPv6 ND     |**Roadmap**              |Supported in Liberty release     |
|spoofing.                            |                         |                                 |
+-------------------------------------+-------------------------+---------------------------------+
|IPv6 support in Neutron Layer3 High  |Yes                      |                                 |
|Availability (keepalived+VRRP).      |                         |                                 |
+-------------------------------------+-------------------------+---------------------------------+