OpenStack Compute (nova)

IPv6 DAD failure due to hairpinning

Bug #1251235 reported by Sean M. Collins on 2013-11-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	High	Sean M. Collins	OpenStack Compute (nova) 2014.1 "icehouse"

Bug Description

LibvirtGenericVIFDriver, when using the hybrid bridge method of plugging instances, needs to disable hairpinning to prevent IPv6 ICMPv6 packets from being sent back to the instance, which will cause IPv6 configuration to fail, because the instance will believe that the address it has configured has already been used.

Tags:

Revision history for this message

Sean M. Collins (scollins) wrote on 2013-11-14:

Patch proposed:

https://review.openstack.org/#/c/56381/

Matt Riedemann (mriedem) on 2013-11-17

tags:	added: ipv6 libvirt
Changed in nova:
status:	New → In Progress
assignee:	nobody → Sean M. Collins (scollins)

Revision history for this message

Ian Wells (ijw-ubuntu) wrote on 2013-11-22:

See comments on patch review - largely, that it should be turned off for Neutron, not turned off for ipv6. It serves a purpose in nova-network, and only in nova-network. It's pointless for ipv4 and ipv6 both.

Revision history for this message

Matt Riedemann (mriedem) wrote on 2013-11-25:

Sean, I see you abandoned the patch with a comment that the generic libvirt vif driver should be used instead. Is this bug invalid now?

Revision history for this message

Sean M. Collins (scollins) wrote on 2013-11-25:

I think it's still a valid bug - the Hybrid OVS driver breaks IPv6 in strange ways - the "real" fix is probably to document the problem if someone else hits it - so that nobody misconfigures Nova it like we did.

Revision history for this message

Sean M. Collins (scollins) wrote on 2013-11-25:

For us, just changing the VIF driver from LibvirtHybridOVSBridgeDriver to the generic driver fixed our issue with IPv6. We didn't need the HybridOVS driver, since we're using Neutron and Neutron's Security Group API, not Nova's.

Revision history for this message

Sean M. Collins (scollins) wrote on 2013-11-27:

There's one snag with using the VIF driver that doesn't create a bridge interface - you end up not having a functional security groups API. I plan on re-opening the review, since we require working security groups, as well as IPv6 functionality. (https://bugs.launchpad.net/devstack/+bug/1252620)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-11-27: Fix proposed to nova (stable/havana)

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/58670

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-11-27:

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/58671

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-11-27:

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/58672

Revision history for this message

Sean M. Collins (scollins) wrote on 2013-12-02:

#10

Sorry for the noise - the ChangeId was getting munged when I amended the commit.

The review is located at

https://review.openstack.org/#/c/56381/

Revision history for this message

Ian Wells (ijw-ubuntu) wrote on 2013-12-19:

#11

OK, so we're splitting this into two bits, one in Nova (hairpinning will be disabled when Neutron says it should be on the port during plug time) and one in Neutron (Neutron plugins should pass that on as appropriate). This maintains default behaviour and allows Neutron plugins to disable it when they don't need it for the port rewrite rules.

Revision history for this message

Sean M. Collins (scollins) wrote on 2013-12-19:

#12

@Ian - yep

https://blueprints.launchpad.net/nova/+spec/nova-hairpin-vif-attribute

https://blueprints.launchpad.net/neutron/+spec/vif-attribute-for-hairpinning

Vish Ishaya (vishvananda) on 2014-01-13

Changed in nova:
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-02-24: Fix merged to nova (master)

#13

Reviewed: https://review.openstack.org/56381
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=6b9f9e6e9ae2fcf5c733b261717775970a9a4f62
Submitter: Jenkins
Branch: master

commit 6b9f9e6e9ae2fcf5c733b261717775970a9a4f62
Author: Sean M. Collins <email address hidden>
Date: Thu Nov 14 08:18:58 2013 -0500

LibVirt: Disable hairpin when using Neutron

    When hairpinning is enabled, ICMPv6 messages that handle
    duplicate address detections return to the instance, causing IPv6
    SLAAC configuration to fail

http://tools.ietf.org/html/rfc4862#section-5.4.3

Closes-Bug: #1251235

Change-Id: I65e1d40d33d6291bfd5558c7c346fc5fbf92cc56