diff --git a/bindep.txt b/bindep.txt index 7f2f0be4197..cabb10f8264 100644 --- a/bindep.txt +++ b/bindep.txt @@ -28,3 +28,6 @@ haproxy keepalived iproute-tc [platform:rpm] + +# Provide ndsend command, used to send IPv6 Neighbor Discovery packets +vzctl [platform:dpkg] diff --git a/doc/source/admin/config-bgp-dynamic-routing.rst b/doc/source/admin/config-bgp-dynamic-routing.rst index 698429eaad9..bc5e67e421f 100644 --- a/doc/source/admin/config-bgp-dynamic-routing.rst +++ b/doc/source/admin/config-bgp-dynamic-routing.rst @@ -823,6 +823,8 @@ assist with verifying operation of the BGP speaker. | 87cf2970-4970-462e-939e-00e802281dfa | | fa:16:3e:6b:18:e0 | ip_address='203.0.113.14', subnet_id='8ed65d41-2b2a-4f3a-9f92-45adb266e01a' | +--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------------------------+ +.. _config-bgp-dynamic-routing-for-ipv6: + IPv6 ~~~~ diff --git a/doc/source/admin/config-ipv6.rst b/doc/source/admin/config-ipv6.rst index aa377a17e75..7481e79c69b 100644 --- a/doc/source/admin/config-ipv6.rst +++ b/doc/source/admin/config-ipv6.rst @@ -485,6 +485,8 @@ endpoints can be accessed via an IPv6 network. At this time, Open vSwitch (OVS) tunnel types - STT, VXLAN, GRE, support both IPv4 and IPv6 endpoints. +.. _prefix-delegation: + Prefix delegation ~~~~~~~~~~~~~~~~~ diff --git a/doc/source/admin/config-ndp-proxy.rst b/doc/source/admin/config-ndp-proxy.rst new file mode 100644 index 00000000000..e6897793b8b --- /dev/null +++ b/doc/source/admin/config-ndp-proxy.rst @@ -0,0 +1,320 @@ +.. _config-ndp-proxy: + +========= +NDP proxy +========= + +If NDP proxy is set on a router, it is used to publish IPv6 addresses to +external routers. Its purpose is similar to floating IP, but it forwards the +traffic directly by using route rules and has no NAT action. Read the related +`specification `_ +for more details. + + +Configuration of NDP proxy +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +To configure NDP proxy, take the following steps: + +* On the controller nodes: + + Add the ``ndp_proxy`` service to the ``service_plugins`` setting in + ``/etc/neutron/neutron.conf``. For example: + + .. code-block:: none + + service_plugins = router,ndp_proxy + + .. note:: + + The ``router`` service plug-in has to be configured along with the + ``ndp_proxy`` service plug-in + +* On the network nodes or the compute nodes (for the dvr mode router): + + Set the ``extensions`` option in the ``[agent]`` section of + ``/etc/neutron/l3_agent.ini`` to include ``ndp_proxy``. This has to be + done in each network and compute node where the L3 agent is running. For + example: + + .. code-block:: none + + extensions = ndp_proxy + +.. note:: + + After updating the options in the configuration files, the neutron-server + and every neutron-l3-agent need to be restarted for the new values to take + effect. + + After configuring ndp proxy, the ``ndp-proxy`` extension alias will be + included in the output of the following command: + + For api extension: + + .. code-block:: console + + $ openstack extension list --network + + For agent extension: + + .. code-block:: console + + $ openstack network agent show + +.. note:: + + We Introduced a new command ``ndsend`` for NDP proxy feature, the command can + send Neighbor Advertisement about IPv6 to upstream router. With this command, + we can make the upstream router rapidly perceive the change of internal IPv6 + address (such as, port migrated to other node). Read the + `manual page `_ + for more details about this command. + + Currently, you need install this command manually in every l3 agent node. For + ubuntu, the command provided by ``vzctl`` pkg, the install command: + ``sudo apt install vzctl``. + +* On the upstream router (The datacenter's physical router): + + Generally, the admin operator should plan one or more IPv6 subnetpools to use + when NDP proxy is enabled, so that all internal subnets can be allocated from + a single, integrated subnetpool. In order to make NDP proxy work correctly, + the admin operator needs to set direct routes for these subnetpools. + + Such as, we have a IPv6 subnetpool, it's CIDR is 2001::/96. The direct route + like below should be set: + + .. code-block:: none + + 2001::/96 dev + + The ``ext-gw`` is the gateway interface of the cloud's external network. + + +User workflow +~~~~~~~~~~~~~ + +Assume the admin operator already prepared an IPv6 subnetpool: +``test-subnetpool``, its CIDR is 2001::/96. + +At a high level, the basic steps to publish an IPv6 address to external +network (such as: public network) are the following: + +1、Create a router and enable its external gateway +2、Set the router's ``enable_ndp_proxy`` parameter to True +3、Create a internal network and create a IPv6 subnet on it +4、Add the subnet to the router +5、Launch an instance on the network +6、Create a ndp proxy for the instance's port + +* Create a router: + + .. code-block:: console + + $ openstack router create test-router + +-------------------------+--------------------------------------+ + | Field | Value | + +-------------------------+--------------------------------------+ + | admin_state_up | UP | + | availability_zone_hints | | + | availability_zones | | + | created_at | 2022-01-01T06:50:44Z | + | description | | + | distributed | False | + | enable_ndp_proxy | False | + | external_gateway_info | null | + | flavor_id | None | + | ha | False | + | id | 3aab8554-e5c4-4262-ab95-b92857c641de | + | name | test-router | + | project_id | bcb0c7a5338b4a46959e47971c58f0f1 | + | revision_number | 1 | + | routes | | + | status | ACTIVE | + | tags | | + | updated_at | 2022-01-01T06:50:44Z | + +-------------------------+--------------------------------------+ + +* Set external gateway for the router: + + .. code-block:: console + + $ openstack router set test-router --external-gateway public + + + .. note:: + + If the external network has no IPv6 subnet and the ``ipv6_gateway`` is + configured on the ``neutron-l3-agent``, you may want to set + ``use_lla_address`` to True at ``/etc/neutron/neutron.conf``, otherwise + The following command will raise a 403 error. + +* Enable ndp proxy support on the router: + + .. code-block:: console + + $ openstack router set test-router --enable-ndp-proxy + + .. warning:: + + If you are using another method (such as: + :ref:`BGP `, + :ref:`prefix-delegation` etc.) to publish the internal IPv6 address, the + command will break dataplane traffic. + +* Create internal network and IPv6 subnet and add the subnet to above router: + + .. code-block:: console + + $ openstack network create int-net + +---------------------------+--------------------------------------+ + | Field | Value | + +---------------------------+--------------------------------------+ + | admin_state_up | UP | + | availability_zone_hints | | + | availability_zones | | + | created_at | 2022-01-01T07:11:08Z | + | description | | + | dns_domain | None | + | id | e527b38e-9e2a-439b-adf8-4ee1aa4f03b1 | + | ipv4_address_scope | None | + | ipv6_address_scope | None | + | is_default | False | + | is_vlan_transparent | None | + | mtu | 1450 | + | name | int-net | + | port_security_enabled | True | + | project_id | bcb0c7a5338b4a46959e47971c58f0f1 | + | provider:network_type | vxlan | + | provider:physical_network | None | + | provider:segmentation_id | 575 | + | qos_policy_id | None | + | revision_number | 1 | + | router:external | Internal | + | segments | None | + | shared | False | + | status | ACTIVE | + | subnets | | + | tags | | + | updated_at | 2022-01-01T07:11:08Z | + +---------------------------+--------------------------------------+ + $ openstack subnet create --network int-net --subnet-pool test-subnetpool \ + --prefix-length 112 --ip-version 6 \ + --ipv6-ra-mode dhcpv6-stateful \ + --ipv6-address-mode dhcpv6-stateful int-sub + +----------------------+--------------------------------------+ + | Field | Value | + +----------------------+--------------------------------------+ + | allocation_pools | 2001::2-2001::ffff | + | cidr | 2001::/112 | + | created_at | 2022-01-02T08:20:26Z | + | description | | + | dns_nameservers | | + | dns_publish_fixed_ip | None | + | enable_dhcp | True | + | gateway_ip | 2001::1 | + | host_routes | | + | id | 9bcf194c-d44f-4e6f-90da-98510ddef283 | + | ip_version | 6 | + | ipv6_address_mode | dhcpv6-stateful | + | ipv6_ra_mode | dhcpv6-stateful | + | name | int-sub | + | network_id | e527b38e-9e2a-439b-adf8-4ee1aa4f03b1 | + | project_id | bcb0c7a5338b4a46959e47971c58f0f1 | + | revision_number | 0 | + | segment_id | None | + | service_types | | + | subnetpool_id | 73c5311c-6750-43f5-9a69-b50c1c5694fd | + | tags | | + | updated_at | 2022-01-02T08:20:26Z | + +----------------------+--------------------------------------+ + $ openstack router add subnet test-router int-sub + +* Launch an instance: + + .. code-block:: console + + $ openstack server create --flavor m1.tiny --image cirros-0.5.2-x86_64-disk --network int-net test-server + +-------------------------------------+-----------------------------------------------------------------+ + | Field | Value | + +-------------------------------------+-----------------------------------------------------------------+ + | OS-DCF:diskConfig | MANUAL | + | OS-EXT-AZ:availability_zone | | + | OS-EXT-SRV-ATTR:host | None | + | OS-EXT-SRV-ATTR:hypervisor_hostname | None | + | OS-EXT-SRV-ATTR:instance_name | | + | OS-EXT-STS:power_state | NOSTATE | + | OS-EXT-STS:task_state | scheduling | + | OS-EXT-STS:vm_state | building | + | OS-SRV-USG:launched_at | None | + | OS-SRV-USG:terminated_at | None | + | accessIPv4 | | + | accessIPv6 | | + | addresses | | + | adminPass | 97UvRLgdFozR | + | config_drive | | + | created | 2022-01-02T08:22:35Z | + | flavor | m1.tiny (1) | + | hostId | | + | id | 189a104c-36cd-479a-8702-8111eb34fdb6 | + | image | cirros-0.5.2-x86_64-disk (2b2d2975-7ffc-463b-8c0e-993122f38b77) | + | key_name | None | + | name | test-server | + | progress | 0 | + | project_id | bcb0c7a5338b4a46959e47971c58f0f1 | + | properties | | + | security_groups | name='default' | + | status | BUILD | + | updated | 2022-01-02T08:22:34Z | + | user_id | 27e0947bb4fe47e4981da31d4a18ddf7 | + | volumes_attached | | + +-------------------------------------+-----------------------------------------------------------------+ + +* Create ndp proxy for the instance's port: + + Query the port of the instance + + .. code-block:: console + + $ openstack port list --server test-server + +--------------------------------------+------+-------------------+--------------------------------------------------------------------------+--------+ + | ID | Name | MAC Address | Fixed IP Addresses | Status | + +--------------------------------------+------+-------------------+--------------------------------------------------------------------------+--------+ + | bdd64aa0-437a-4db6-bbca-99869426c908 | | fa:16:3e:ac:15:b8 | ip_address='2001::284', subnet_id='9bcf194c-d44f-4e6f-90da-98510ddef283' | ACTIVE | + +--------------------------------------+------+-------------------+--------------------------------------------------------------------------+--------+ + + Create ndp proxy for the port + + .. code-block:: console + + $ openstack network ndp proxy create --router test-router --port bdd64aa0-437a-4db6-bbca-99869426c908 test-np + +-----------------+--------------------------------------+ + | Field | Value | + +-----------------+--------------------------------------+ + | created_at | 2022-01-02T08:25:31Z | + | description | | + | id | 73889fee-e322-443f-941e-142e4fc5f898 | + | ip_address | 2001::284 | + | name | test-np | + | port_id | bdd64aa0-437a-4db6-bbca-99869426c908 | + | project_id | bcb0c7a5338b4a46959e47971c58f0f1 | + | revision_number | 0 | + | router_id | 3aab8554-e5c4-4262-ab95-b92857c641de | + | updated_at | 2022-01-02T08:25:31Z | + +-----------------+--------------------------------------+ + +* Then ping the port's address from upstream router + + .. code-block:: console + + $ ping 2001::284 + PING 2001::284(2001::284) 56 data bytes + 64 bytes from 2001::284: icmp_seq=1 ttl=64 time=0.365 ms + 64 bytes from 2001::284: icmp_seq=2 ttl=64 time=0.385 ms + + +Known limitations +~~~~~~~~~~~~~~~~~ + +* OVN backend is not supported diff --git a/doc/source/admin/config.rst b/doc/source/admin/config.rst index ba2fda629ab..4a617b96614 100644 --- a/doc/source/admin/config.rst +++ b/doc/source/admin/config.rst @@ -24,6 +24,7 @@ Configuration config-logging config-macvtap config-mtu + config-ndp-proxy config-network-segment-ranges config-ovs-dpdk config-ovs-offload diff --git a/releasenotes/notes/l3-ndp-proxy-397de144813f9396.yaml b/releasenotes/notes/l3-ndp-proxy-397de144813f9396.yaml new file mode 100644 index 00000000000..b80e6461a87 --- /dev/null +++ b/releasenotes/notes/l3-ndp-proxy-397de144813f9396.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Support for IPv6 NDP proxy has been added. Read the related + `specification `_ + for more details.