Add support for radvd to Neutron, and use radvd as the preferred reference implementation for IPv6 Router Advertisements and SLAAC. [RADVD] is open-source software that implements advertisements of IPv6 router addresses and IPv6 routing prefixes using NDP.
Router Advertisements (RAs) are fundamental to the IPv6 Neighbor Discovery standard [RFC_4861]. Without radvd, Neutron would need to rely on dnsmasq for RA functionality, which has a number of shortcomings:
This proposal is intended to cover announcing RAs, providing the announcement information requested from the ipv6_ra_mode attribute.
If IPv6 is enabled, start a radvd process in the namespace of each router. Enable the Neutron L3 agent to support radvd configuration and updating.
The L3 agent will be updated to support radvd configuration based on the attributes of the subnets associated with the router. Since radvd is configured by a config file, the L3 agent will maintain a separate config file per router namespace. The radvd process will need to be restarted when a configuration is changed.
When a subnet is deleted, the associated radvd configuration needs to be updated so that the prefix is no longer advertised. The L3 agent will modify the config and restart the radvd process.
Some radvd settings will affect the configuration of DHCP. The DHCP agent will be updated to treat subnet attributes and configure dnsmasq so that is is compatible with how radvd is configured.
Reasonable default values for some radvd settings, like RA interval and lifetime, will be chosen in the first implementation. Follow-up bugs or feature requests can be filed to add Neutron config options for radvd settings.
We could use dnsmasq for RA and SLAAC support. The shortcomings of this are given in section Problem description.
No change to the API, but the user/admin should know how to use the two IPv6 addressing attributes [TWO_MODE] to configure subnets for IPv6 addressing.
|ipv6 ra mode||ipv6 address mode||radvd A,M,O||Description|
|N/S||N/S||Off||VM obtains IPv6 address based on non-OpenStack services on the network, or only creates a link-local address (not sourced by OpenStack).|
|N/S||slaac||Off||VM obtains IPv6 address from external router using SLAAC|
|N/S||dhcpv6- stateful||Off||VM obtains IPv6 address and optional info from dnsmasq using DHCPv6 stateful|
|N/S||dhcpv6- stateless||Off||VM obtains IPv6 address from external router using SLAAC and optional info from dnsmasq using DHCPv6 stateless|
|slaac||N/S||1,0,0||VM obtains IPv6 address from radvd using SLAAC|
|dhcpv6- stateful||N/S||0,1,1||VM obtains IPv6 address and optional info from external DHCPv6 server using DHCPv6 stateful|
|dhcpv6- stateless||N/S||1,0,1||VM obtains IPv6 address from radvd using SLAAC and optional info from external DHCPv6 server using DHCPv6 stateless|
|slaac||slaac||1,0,0||VM obtains IPv6 address from OpenStack radvd using SLAAC|
|dhcpv6- stateful||dhcpv6- stateful||0,1,1||VM obtains IPv6 address from dnsmasq using DHCPv6 stateful and optional info from dnsmasq using DHCPv6 stateful|
|dhcpv6- stateless||dhcpv6- stateless||1,0,1||VM obtains IPv6 address from radvd using SLAAC and optional info from dnsmasq using DHCPv6 stateless|
|slaac||dhcpv6- stateful||Invalid combination|
|slaac||dhcpv6- stateless||Invalid combination|
|dhcpv6- stateful||slaac||Invalid combination|
|dhcpv6- stateful||dhcpv6- stateless||Invalid combination|
|dhcpv6- stateless||slaac||Invalid combination|
|dhcpv6- stateless||dhcpv6- stateful||Invalid combination|
N/S = Not Specified
There is no security impact directly related to radvd, but it should be noted that the default security group settings for IPv6 interfaces allow RAs from Neutron routers and/or from the subnet’s default gateway.
This change introduces one radvd instance per router namespace that is created by neutron. The radvd instances may load new configuration data when interfaces are added into or removed from the namespaces. Significant system performance degradation is not expected.
Note: For each SLAAC-enabled subnet, the Neutron L3 Agent will need to either detect or anticipate which specific IPv6 address is generated by each host. Note that for the initial release of IPv6 in OpenStack, the ability to anticipate or derive each SLAAC-generated address was added with the change set for [BP_PV_SLAAC]. This algorithm assumes that interface IDs used in forming addresses are generated using EUI-64.
Full unit test coverage.
Look into the feasibilty of adding functional tests. (Not currently considered essential.)
Add tempest tests like:
API tests for network/subnet create for each of the modes (see [API_TESTS]):
- unspec/unspec, SLAAC/SLAAC, stateful/stateful, stateless/stateless
Scenario ping test for SLAAC/SLAAC, stateful/stateful, stateless/stateless
How to configure IPv6 addressing. Overview for Neutron and specifically for subnets.
|[RADVD]||(1, 2) Linux IPv6 Router Advertisement Daemon (radvd)|
|[BP_2ATTR]||Two Attributes Proposal to Control IPv6 RA Announcement and Address Assignment|
|[RFC_4861]||Neighbor Discovery for IP version 6 (IPv6)|
|[TWO_MODE]||IPv6 Two Modes v3.0.pdf|
|[BP_PV_SLAAC]||Provider Networking - upstream SLAAC support|
|[BP_CONSL3]||L3 agent consolidation|
|[API_TESTS]||Add IPv6 API test cases for Neutron Subnet API|
|[PV_SG_RA]||Router RA rule need to be updated when router is created after VM port|