Copyright ©2014 Nephos6. All Rights Reserved

OpenStack  Icehouse  on  IPv6

Shixiong  Shang  v1.3

Copyright ©2014 Nephos6. All Rights Reserved

§ Introduction

§ Overview

§ Use Cases

§ Design and Implementation

§ Demo

§ Next Steps

Agenda

2

Copyright ©2014 Nephos6. All Rights Reserved

§ Nephos6 – Founded in June, 2011

– Service assurance company

– Twitter: @Nephos6

– Web: http://www.nephos6.com

§ Shixiong Shang – Head of Engineering

– Twitter: @shshang

– Email: shshang@nephos6.com

Introduction

3

§ Ciprian Popoviciu – Founder, CEO

– IPv6 expert

– Twitter: @Nephos6

– Email: chip@nephos6.com

Copyright ©2014 Nephos6. All Rights Reserved

§ “The promise of Cloud cannot be fully met without IPv6” - Nephos6

§ “The Road To IPv6, Bumpy” - Paul Saab from Facebook, 2014 V6 World Congress in Paris

!!!!!!!

§ Facebook’s goal: – 75% of internal traffic is now IPv6 with a goal to be at 100% by Q3 2014 or earlier

– First IPv6 only cluster (no RFC1918) by end of 2014

– 100% IPv6 only (no RFC1918) in 2-3 years

IPv6…? IPv6 NOW!

4

Copyright ©2014 Nephos6. All Rights Reserved

§ OpenStack Neutron IPv6 sub team.

§ Have been working with other stackers on weekly basis – Comcast, IBM, Cisco, etc.

§ Nephos6 main contributions: – Proposed 4 + 1 blueprints

– Implemented 3 + 1 blueprints

– Submitted 400+ lines of python source code plus 300+ lines of unit testing code

§ Target release: Icehouse in April, 2014

§ Status: Look forward to Juno….:)

Overview

5

Copyright ©2014 Nephos6. All Rights Reserved

§ Current main focuses: – Router Advertisement and Address Assignment

‣ SLAAC

‣ DHCPv6 (Stateful and Stateless)

– Tenant network

‣ Public

‣ Private/Provider

§ Primary seven use cases – Neutron Client (CLI + Dashboard): IBM and Cisco

– Neutron APIs: Comcast and IBM

– Database: Comcast

– Neutron DHCP Agent: Nephos6

Scope

6

Copyright ©2014 Nephos6. All Rights Reserved

IPv6 Address Auto-Configuration

7

SLAAC* DHCPv6*

IPv6 Address (non-link-local)

By exchanging Router Solicitation and Router Advertisement messages with neighboring routers.

From DHCPv6 server

Additional Information None From DHCPv6 server

Default Gateway The only way to announce default route is using Router Advertisement!

Pros Plug and play IPv4-like approach, but better More control

Cons Doesn’t provide Hostname, DNS server, WINS, etc.

Operational overhead (extra DHCP server, HA, etc.)

* Based on ICMPv6

Copyright ©2014 Nephos6. All Rights Reserved

Use Cases - Public Tenant Network

8

neutron  router

tenant  network  (inside)

VM

external  network  side  (outside)

Router Advertisement Address Assignment: SLAAC

neutron  router VM

Router Advertisement Address Assignment: DHCPv6 Stateful

dhcpv6  server  (stateful)

neutron  router VM

Router Advertisement Address Assignment: DHCPv6 Stateless

dhcpv6  server  (stateless)

Provided  by  OpenStack

1

2

3

Copyright ©2014 Nephos6. All Rights Reserved

Use Cases - Public Tenant Network

9

tenant  network  (inside)

external  network  side  (outside)

neutron  router dhcpv6  server  (stateful)

Provided  by  OpenStack

Provided  by  customer

Provided  by  customer

VM

VMneutron  router dhcpv6  server  (stateless)

4

5

Router Advertisement Address Assignment: DHCPv6 Stateful

Address Assignment: DHCPv6 StatelessRouter Advertisement

Copyright ©2014 Nephos6. All Rights Reserved

Use Cases - Provider Tenant Network

10

tenant  network  (inside)

physical  router

Provided  by  customer

Provided  by  OpenStack

Provided  by  Openstack

VM

VMphysical  router

external  network  side  (outside)

6

7

Router Advertisement Address Assignment: DHCPv6 Stateful

Address Assignment: DHCPv6 StatelessRouter Advertisement

dhcpv6  server  (stateful)

dhcpv6  server  (stateless)

Copyright ©2014 Nephos6. All Rights Reserved 11

tenant  network  (inside)

No  external  network  side  (outside)

physical  switch

Provided  by  customer

Provided  by  OpenStack

Provided  by  Openstack

VM

VMphysical  switch

Use Cases - Private Tenant Network

8

9

Router Advertisement Address Assignment: DHCPv6 Stateful

Address Assignment: DHCPv6 StatelessRouter Advertisement

dhcpv6  server  (stateful)

dhcpv6  server  (stateless)

Who Sends RA? Who Assign Address?

Network Type

OpenStack ipv6_ra_mode

OpenStack ipv6_address_mode

Description

external router

(A=1, M=0, O=0)external router off off

VM obtains IPv6 address from external router using SLAAC

external router

(A=0, M=1, O=1)

external DHCPv6 server off off VM obtains IPv6 address and optional info from external

DHCPv6 server using DHCPv6 Stateful

OpenStack dnsmasq

Private /

Provideroff dhcpv6-stateful VM obtains IPv6 address and optional info from

OpenStack dnsmasq using DHCPv6 Stateful

external router

(A=1, M=0, O=1)

external DHCPv6 server off off

VM obtains IPv6 address from external router by SLAAC and optional info from external DHCPv6 server using DHCPv6 Stateless

OpenStack dnsmasq

Private /

Provideroff dhcpv6-stateless

VM obtains IPv6 address from external router by SLAAC and optional info from OpenStack dnsmasq using DHCPv6 Stateless

OpenStack dnsmasq

(A=1, M=0, O=0)

OpenStack dnsmasq Public slaac slaac VM obtains IPv6 address from OpenStack using SLAAC

OpenStack dnsmasq

(A=0, M=1, O=1)

external DHCPv6 server Public dhcpv6-stateful off VM obtains IPv6 address and optional info from external

DHCPv6 server using DHCPv6 Stateful

OpenStack dnsmasq Public dhcpv6-stateful dhcpv6-stateful VM obtains IPv6 address and optional info from

OpenStack dnsmasq using DHCPv6 Stateful

OpenStack dnsmasq

(A=1, M=0, O=1)

external DHCPv6 server Public dhcpv6-stateless off

VM obtains IPv6 address from OpenStack by SLAAC and optional info from external DHCPv6 server using DHCPv6 Stateless

OpenStack dnsmasq Public dhcpv6-stateless dhcpv6-stateless

VM obtains IPv6 address from OpenStack by SLAAC and optional info from OpenStack dnsmasq using DHCPv6 Stateless

This  table  is  created  and  submitted  to  Neutron  IPv6  subteam  by  Shixiong  Shang  from  Nephos6.

Copyright ©2014 Nephos6. All Rights Reserved

§ Separate the control of Router Advertisement from Address Assignment using two new attributes:

Design Proposal

13

Attribute Description Possible Values

ipv6_ra_mode Determine who sends RA and which AMO bits are set.

dhcpv6-stateful

dhcpv6-stateless

slaac

attr_not_specified (i.e. blank)

ipv6_address_modeDetermine how VM obtains IPv6 address, default gateway, and/or optional information

dhcpv6-stateful

dhcpv6-stateless

slaac

attr_not_specified (i.e. blank)

Copyright ©2014 Nephos6. All Rights Reserved

Implementation

14

neutron  client  (via  cli  or  horizon)

Neutron  API

Plugin

RabbitMQ

DHCP  Agent

Controller  Node

Driver  (dnsmasq)Network  Node

New  User  Interface

Translate  customer  

inputs  to  key/value  pairs  in  

API  call

Validate  two  attributes  combination

Attach  two  attributes  values  to  IPv6  subnet

Event  /  Task

Launch  dnsmasq  for  IPv6  subnets  based  on  two  attributes

DB

Copyright ©2014 Nephos6. All Rights Reserved 15

Neutron Subnet Creation

neutron subnet-create --ip-version 6 --name subnet-name network-name ipv6_prefix --enable-dhcp true --ipv6_ra_mode slaac --ipv6_address_mode slaacNeutron  Client

Neutron  API

MySQL  DB

Copyright ©2014 Nephos6. All Rights Reserved

Challenges: Public Network

16

Network  Node

qdhcp  namespace

ns-­‐  interface  192.168.1.2  

2001:db8:1:1::a:b:c

qr-­‐  interface  192.168.1.1

qr-­‐  interface  2001:db8:1:1::1

qrouter  namespace

VM

Compute  Node

vnic  192.168.1.3  

2001:db8:1:1::x:y:z

4.  Need  ip6tables  filter  rules  to  enable  ICMPv6  at  inbound  direction

3.  OpenStack  needs  to  know  VM’s  self-­‐calculated  IPv6  address  in  SLAAC  case

1.  Keep  dnsmasq  behavior  intact  for  IPv4  subnet

IPv6  RA  and/or  DHCPv6

IPv4  DHCP

security  policy

Switching

2.  Launch  a  dnsmasq  instance  for  IPv6  subnet,  bind  it  to  the  qr-­‐  gw  interface  and  send  RA  from  there.  May  use  dnsmasq  as  DHCPv6  server.

Copyright ©2014 Nephos6. All Rights Reserved

Challenges: Private/Provider Network

17

Network  Node

qdhcp  namespace

ns-­‐  interface  192.168.1.2  

2001:db8:1:1::a:b:c

VM

Compute  Node

vnic  192.168.1.3  

2001:db8:1:1::x:y:z

2.  Launch  a  separate  dnsmasq  instance  for  IPv6  subnet  and  bind  it  to  the  ns-­‐  interface.  Use  it  as  DHCPv6  server  without  sending  RA

3.  Need  ip6tables  filter  rules  to  enable  ICMPv6  at  inbound  direction

1.  Keep  dnsmasq  behavior  intact  for  IPv4  subnet

IPv6  DHCPv6IPv4  DHCP

security  policy

Switching

Copyright ©2014 Nephos6. All Rights Reserved

Icehouse Demo Setup

18

eth0

Network Node

Compute Node

Tenant Data Networks

Tenant External Network

Router

mysql db

rabbitmq

horizon

keystone

glance

swift

cinder

nova-api

nova-scheduler

nova-consoleauth

nova-novncproxy

nova-cert

nova-conductor

neutron-server

Controller Node

eth0 eth1 eth2 eth0 eth2

Management and API Networks

neutron-dhcp-agent

neutron-l3-agent

neutron-metadata-agent

openvswitch

neutron-openvswitch-agent

dnsmasq

nova-compute

openvswitch-agent

openvswitch

Copyright ©2014 Nephos6. All Rights Reserved

Icehouse Demo Setup

19

Network Node Compute Node

net1_priv1 sub1_priv1_ipv4: 192.168.1.0/24 sub1_priv1_ipv6: 2001:db8:1:1::/64

VM

OVSwitchOVSwitchOVSwitch

Neutron Router

Physical Router

192.168.1.12001:db8:1:1::1

192.168.1.d2001:db8:1:1:x:y:z:e

Copyright ©2014 Nephos6. All Rights Reserved

Icehouse Demo - Dual-Stack VM

20

Copyright ©2014 Nephos6. All Rights Reserved

Icehouse Demo - VM IPv4 and IPv6 Address

21

Copyright ©2014 Nephos6. All Rights Reserved

Icehouse Demo - IPv6 Default Gateway

22

Copyright ©2014 Nephos6. All Rights Reserved

Icehouse Demo - IPv6 Connectivity

23

Copyright ©2014 Nephos6. All Rights Reserved

§ Robustness

§ ML2…friend or foe?

§ IPv6 External network

§ Prefix Delegation

§ …and more!

Next Step

24

“Any  product  that  is  not  IPv6  based  is  legacy  from  day  one.”  -­‐  Nephos6

Copyright ©2014 Nephos6. All Rights Reserved