neutron

SLaaC or DHCPv6 stateless doesn't work on isolated Neutron networks

Bug #1638130 reported by Dustin Lundquist
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Invalid
Undecided
Unassigned

Bug Description

On an isolated IPv6 network no router advertisements are sent, so the instances are unable to discover what prefix to use. To enabled instances to discover which prefixes are on-link router advertisements with a router lifetime of zero should be sent (from the DHCP namespace) https://tools.ietf.org/html/rfc4861#page-43. Dnsmasq seems to support this via --ra-param option:

--ra-param=<interface>,[high|low],[[<ra-interval>],<router lifetime>]
Set non-default values for router advertisements sent via an interface. The priority field for the router may be altered from the default of medium with eg --ra-param=eth0,high. The interval between router advertisements may be set (in seconds) with --ra-param=eth0,60. The lifetime of the route may be changed or set to zero, which allows a router to advertise prefixes but not a route via itself. --ra-parm=eth0,0,0 (A value of zero for the interval means the default value.) All three parameters may be set at once. --ra-param=low,60,1200 The interface field may include a wildcard.

Alternatively radvd could be used within the DHCP namespace.

Steps to reproduce:

$ openstack network create isolated-ipv6
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2016-10-31T20:14:13Z |
| description | |
| headers | |
| id | 7044aa9b-937f-4f7d-9073-00512f88a066 |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| mtu | 1450 |
| name | isolated-ipv6 |
| port_security_enabled | True |
| project_id | 6d80770322b64b8ba57038788004e93e |
| project_id | 6d80770322b64b8ba57038788004e93e |
| provider:network_type | vxlan |
| provider:physical_network | None |
| provider:segmentation_id | 11 |
| revision_number | 3 |
| router:external | Internal |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | [] |
| updated_at | 2016-10-31T20:14:13Z |
+---------------------------+--------------------------------------+
$ openstack subnet create --ip-version 6 --ipv6-ra-mode slaac --ipv6-address-mode slaac --network 7044aa9b-937f-4f7d-9073-00512f88a066 --subnet-range fddd:fd72:8298::/64 isolated-ipv6-subnet
+-------------------+--------------------------------------------------------+
| Field | Value |
+-------------------+--------------------------------------------------------+
| allocation_pools | fddd:fd72:8298::2-fddd:fd72:8298:0:ffff:ffff:ffff:ffff |
| cidr | fddd:fd72:8298::/64 |
| created_at | 2016-10-31T20:17:44Z |
| description | |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | fddd:fd72:8298::1 |
| headers | |
| host_routes | |
| id | 96bf9b9f-736b-46c3-86f0-029c6d5f6e92 |
| ip_version | 6 |
| ipv6_address_mode | slaac |
| ipv6_ra_mode | slaac |
| name | isolated-ipv6-subnet |
| network_id | 7044aa9b-937f-4f7d-9073-00512f88a066 |
| project_id | 6d80770322b64b8ba57038788004e93e |
| project_id | 6d80770322b64b8ba57038788004e93e |
| revision_number | 2 |
| service_types | |
| subnetpool_id | None |
| updated_at | 2016-10-31T20:17:44Z |
+-------------------+--------------------------------------------------------+
$ openstack server create --image cirros-0.3.4-x86_64-uec --flavor m1.tiny --nic net-id=7044aa9b-937f-4f7d-9073-00512f88a066 test-server
+--------------------------------------+----------------------------------------------------------------+
| Field | Value |
+--------------------------------------+----------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | |
| OS-EXT-SRV-ATTR:host | None |
| OS-EXT-SRV-ATTR:hypervisor_hostname | None |
| OS-EXT-SRV-ATTR:instance_name | |
| OS-EXT-STS:power_state | NOSTATE |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | None |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | |
| adminPass | iTkyyFge6Z5C |
| config_drive | |
| created | 2016-10-31T20:19:34Z |
| flavor | m1.tiny (1) |
| hostId | |
| id | f494a313-df9e-494e-a203-ced29d3e9759 |
| image | cirros-0.3.4-x86_64-uec (2eee9b4a-a5d9-4de0-bc35-350093dab3b9) |
| key_name | None |
| name | test-server |
| os-extended-volumes:volumes_attached | [] |
| progress | 0 |
| project_id | 6d80770322b64b8ba57038788004e93e |
| properties | |
| security_groups | [{u'name': u'default'}] |
| status | BUILD |
| updated | 2016-10-31T20:19:34Z |
| user_id | 8666967e103a43bfb90aed2e107946a6 |
+--------------------------------------+----------------------------------------------------------------+

Connect to the instance console and verify no IPv6 address aside from a link-local address is assigned.

Tags: ipv6
Dustin Lundquist (dlundquist)
tags: added: ipv6
Revision history for this message
John Davidge (john-davidge) wrote :

To get router advertisements, create a neutron router and add an interface to your subnet.

Changed in neutron:
status: New → Invalid
Revision history for this message
Dustin Lundquist (dlundquist) wrote :

John,

An isolated IPv6 network is a valid use case. There are a number of reasons why a user might want an IPv6 network without it being connected to a larger network through a router. I discovered this when trying to configure an IPv6 only network between an Octavia controller and its amphora. Another case would be between a web application tier and a database tier, by not providing egress capability from the database tier this provides additional security in depth against unauthorized code running on the database node from joining a bot net.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.