[RFE] - OVN Distributed routing + IPv6 support
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
In Progress
|
Wishlist
|
Unassigned |
Bug Description
Hi,
Currently, DVR support for IPv4 FIP addresses works perfectly with OVN. However, I would like to request if it is possible to extend this behavior to IPv6 addresses. When I talk about IPv6 addresses, I'm referring to the GUA addresses that are allocated to VMs (e.g., considering an openstack deployment).
-------
Adding a use case context:
For DVR to be enabled properly, the provider networks must be stretched over the Underlay Network and each Compute Node would have the bridge for external traffic. In an L3 Leaf-Spine Underlay, for example, the network to be reached is for the Underlay Network be able to stretch an L2 domain(VLAN) via VXLAN as dataplane and BGP EVPN as Control Plane. In this solution, the Leaf switches would need to work as HW VTEP Gateway to initiate and terminate the VXLANs tunnels and use BGP EVPN to learn and advertise the MAC Addresses from the Compute Node’s provider network.
The common reference architecture is detailed in [picture 1] and the design for the DVR+FRR solution (IPv4/IPv6) is detailed in [picture 2].
-------
What's the problem? well, inbound traffic to a GUA address goes through the chassis where the router's external port resides.
Looking at the DVR implementation for IPv4, I see that the solution is heavily based on the idea of NAT.
However, the OVN/OVS support the same idea of distributed routing for both IPv4 and IPv6. After the discussion of this thread [1], now, we know that DVR for IPv6 is supported by ovn with some special NAT rule.
To be clear, we need to insert a NAT rule for the GUA addresses that are allocated to VMs (ovn/ovs understands IPv6 GUA as a FIP). Even though it is a global address, the ovn-controller running on the chassis needs this rule to start responding GARPs (IPv4 - FIP) and neighbor advertisements (for IPv6).
Any ideas on how best to integrate this into neutron? a NAT rule for the VM logical_port with external ip equal to the internal ip (IPv6 GUA<-> IPv6 GUA).
In this case, we need to add a rule like this:
# ovn-nbctl lr-nat-add <logical_router> dnat_and_snat <VM GUA> <VM GUA> <VM logical port> <SOME CHOSEN RANDOM MAC>
The EXTERNAL_IP and LOGICAL_IP used in the NAT rule are the same (ie VM GUA). If we add an entry like this, ovn should add logical flows to respond to IPv6 NS requests for the VM GUA.
For example:
The VM has the IPv6 GUA => 2001:db8:1234::140
Some steps to make it work with OVN.
1 - List logical port of the VM
#ovn-sbctl list port_binding
_uuid : 31b752fe-
chassis : b68e7803-
datapath : 46a6e556-
encap : []
external_ids : {"neutron:
gateway_chassis : []
ha_chassis_group : []
logical_port : "ae528d1a-
mac : ["fa:16:3e:c4:15:40 192.168.0.120 2001:db8:
nat_addresses : []
options : {mcast_
parent_port : []
requested_chassis : b68e7803-
tag : []
tunnel_key : 4
type : ""
up : true
virtual_parent : []
logical_port : "ae528d1a-
2 - Discovery the logical router id
#ovn-nbctl list logical_router
_uuid : 84afed40-
copp : []
enabled : true
external_ids : {"neutron:
load_balancer : []
load_balancer_group : []
name : neutron-
nat : [1ce157ff-
options : {always_
policies : []
ports : [2c0e31ff-
static_routes : [7159024a-
3 - Insert the new NAT rule for GUA, like this:
ovn-nbctl lr-nat-add 84afed40-
In this example we use a random MAC fa:16:3e:c4:aa:bb
After that, we can see that the neighbor solicitation/
Thanks,
Roberto
[picture 1]- https:/
[picture 2]- https:/
[1]-https:/
Changed in neutron: | |
importance: | Undecided → Wishlist |
tags: | added: rfe |
Fix proposed to branch: master /review. opendev. org/c/openstack /neutron/ +/867513
Review: https:/