IPv6 DAD failure due to hairpinning

Bug #1251235 reported by Sean M. Collins on 2013-11-14
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
High
Sean M. Collins

Bug Description

LibvirtGenericVIFDriver, when using the hybrid bridge method of plugging instances, needs to disable hairpinning to prevent IPv6 ICMPv6 packets from being sent back to the instance, which will cause IPv6 configuration to fail, because the instance will believe that the address it has configured has already been used.

Matt Riedemann (mriedem) on 2013-11-17
tags: added: ipv6 libvirt
Changed in nova:
status: New → In Progress
assignee: nobody → Sean M. Collins (scollins)
Ian Wells (ijw-ubuntu) wrote :

See comments on patch review - largely, that it should be turned off for Neutron, not turned off for ipv6. It serves a purpose in nova-network, and only in nova-network. It's pointless for ipv4 and ipv6 both.

Matt Riedemann (mriedem) wrote :

Sean, I see you abandoned the patch with a comment that the generic libvirt vif driver should be used instead. Is this bug invalid now?

Sean M. Collins (scollins) wrote :

I think it's still a valid bug - the Hybrid OVS driver breaks IPv6 in strange ways - the "real" fix is probably to document the problem if someone else hits it - so that nobody misconfigures Nova it like we did.

Sean M. Collins (scollins) wrote :

For us, just changing the VIF driver from LibvirtHybridOVSBridgeDriver to the generic driver fixed our issue with IPv6. We didn't need the HybridOVS driver, since we're using Neutron and Neutron's Security Group API, not Nova's.

Sean M. Collins (scollins) wrote :

There's one snag with using the VIF driver that doesn't create a bridge interface - you end up not having a functional security groups API. I plan on re-opening the review, since we require working security groups, as well as IPv6 functionality. (https://bugs.launchpad.net/devstack/+bug/1252620)

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/58671

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/58672

Sean M. Collins (scollins) wrote :

Sorry for the noise - the ChangeId was getting munged when I amended the commit.

The review is located at

https://review.openstack.org/#/c/56381/

Ian Wells (ijw-ubuntu) wrote :

OK, so we're splitting this into two bits, one in Nova (hairpinning will be disabled when Neutron says it should be on the port during plug time) and one in Neutron (Neutron plugins should pass that on as appropriate). This maintains default behaviour and allows Neutron plugins to disable it when they don't need it for the port rewrite rules.

Changed in nova:
importance: Undecided → High

Reviewed: https://review.openstack.org/56381
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=6b9f9e6e9ae2fcf5c733b261717775970a9a4f62
Submitter: Jenkins
Branch: master

commit 6b9f9e6e9ae2fcf5c733b261717775970a9a4f62
Author: Sean M. Collins <email address hidden>
Date: Thu Nov 14 08:18:58 2013 -0500

    LibVirt: Disable hairpin when using Neutron

    When hairpinning is enabled, ICMPv6 messages that handle
    duplicate address detections return to the instance, causing IPv6
    SLAAC configuration to fail

    http://tools.ietf.org/html/rfc4862#section-5.4.3

    Closes-Bug: #1251235

    Change-Id: I65e1d40d33d6291bfd5558c7c346fc5fbf92cc56

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2014-03-05
Changed in nova:
milestone: none → icehouse-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2014-04-17
Changed in nova:
milestone: icehouse-3 → 2014.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers