Comment 1 for bug 1463911

This issues is documented in more details in the following old question: https://ask.openstack.org/en/question/43063/ipv6-fragmentationmtu-issue-on-icehouseubuntu-1404/

We have also seen this issue in our lab using Ubuntu 14.04 and RHEL 6. As far as we can tell, the proposed kernel patch has not been implemented in any of the current linux kernel load lines (its possible that a different patch than the one referenced in the bug report could have been applied, but if that's the case the fix has not made it into the latest Ubuntu 14.04 or RHEL6 kernels).

The underlying issue is that IPv6 fragmented packets are being re-assembled as part of the ip6tables inspection performed by the "neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver" driver. This inspection occurs on the linux bridge layer, and it appears that once the packets have been assembled they are too big to be sent out of the bridge to the next interface. A better behavior would be to re-fragment the IPv6 packet, or to store and then send the original fragments.

This issue does not impact TCP in IPv6, since IPv6 does not fragment packets in the network just at the endpoints, and TCP will never create IP fragments. However, UDP and ICMP are both impacted by this issue. This means that IPv6 is essentially broken when the standard "neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver" driver is used. If the NOOP driver is used or if "net.bridge.bridge-nf-call-ip6tables = 0" option is set in /etc/sysctl.conf to disable ip6tables on bridges, then IPv6 will operate properly. However, in that case Neutron Security Groups and default neutron security rules will have no impact on IPv6 packets.

Possible solutions are to get a fix for this put into the Linux Kernel, or to modify the "OVSHybridIptablesFirewallDriver" so that it does not trigger re-assembly (if this is even possible).