openstack icehouse over ipv6
DESCRIPTION
Since my previous meetup presentation in last Dec., a lot of progress has been made jointly between Nephos6, Comcast, IBM, and Cisco teams to enable IPv6 in OpenStack Icehouse. In this session, we discussed the use cases we had tried to cover, the architectural design we had proposed and the solution being implemented. A demo was provided by the end of the session to showcase the IPv6 connectivity between a dual-stack VM and its default gateway using recently released OpenStack Icehouse. This slide, "OpenStack Icehouse on IPv6", was presented on April 24 in Triangle OpenStack Meetups sponsored by Cisco System in Raleigh-Durham area, NC, USA. We will periodically publish more slides to share our key findings or key learnings from other stackers or our customers with respect to OpenStack and IPv6. Stay tuned! ShixiongTRANSCRIPT
Copyright ©2014 Nephos6. All Rights Reserved
§ Introduction
§ Overview
§ Use Cases
§ Design and Implementation
§ Demo
§ Next Steps
Agenda
2
Copyright ©2014 Nephos6. All Rights Reserved
§ Nephos6 – Founded in June, 2011
– Service assurance company
– Twitter: @Nephos6
– Web: http://www.nephos6.com
§ Shixiong Shang – Head of Engineering
– Twitter: @shshang
– Email: [email protected]
Introduction
3
§ Ciprian Popoviciu – Founder, CEO
– IPv6 expert
– Twitter: @Nephos6
– Email: [email protected]
Copyright ©2014 Nephos6. All Rights Reserved
§ “The promise of Cloud cannot be fully met without IPv6” - Nephos6
§ “The Road To IPv6, Bumpy” - Paul Saab from Facebook, 2014 V6 World Congress in Paris
!!!!!!!
§ Facebook’s goal: – 75% of internal traffic is now IPv6 with a goal to be at 100% by Q3 2014 or earlier
– First IPv6 only cluster (no RFC1918) by end of 2014
– 100% IPv6 only (no RFC1918) in 2-3 years
IPv6…? IPv6 NOW!
4
Copyright ©2014 Nephos6. All Rights Reserved
§ OpenStack Neutron IPv6 sub team.
§ Have been working with other stackers on weekly basis – Comcast, IBM, Cisco, etc.
§ Nephos6 main contributions: – Proposed 4 + 1 blueprints
– Implemented 3 + 1 blueprints
– Submitted 400+ lines of python source code plus 300+ lines of unit testing code
§ Target release: Icehouse in April, 2014
§ Status: Look forward to Juno….:)
Overview
5
Copyright ©2014 Nephos6. All Rights Reserved
§ Current main focuses: – Router Advertisement and Address Assignment
‣ SLAAC
‣ DHCPv6 (Stateful and Stateless)
– Tenant network
‣ Public
‣ Private/Provider
§ Primary seven use cases – Neutron Client (CLI + Dashboard): IBM and Cisco
– Neutron APIs: Comcast and IBM
– Database: Comcast
– Neutron DHCP Agent: Nephos6
Scope
6
Copyright ©2014 Nephos6. All Rights Reserved
IPv6 Address Auto-Configuration
7
SLAAC* DHCPv6*
IPv6 Address (non-link-local)
By exchanging Router Solicitation and Router Advertisement messages with neighboring routers.
From DHCPv6 server
Additional Information None From DHCPv6 server
Default Gateway The only way to announce default route is using Router Advertisement!
Pros Plug and play IPv4-like approach, but better More control
Cons Doesn’t provide Hostname, DNS server, WINS, etc.
Operational overhead (extra DHCP server, HA, etc.)
* Based on ICMPv6
Copyright ©2014 Nephos6. All Rights Reserved
Use Cases - Public Tenant Network
8
neutron router
tenant network (inside)
VM
external network side (outside)
Router Advertisement Address Assignment: SLAAC
neutron router VM
Router Advertisement Address Assignment: DHCPv6 Stateful
dhcpv6 server (stateful)
neutron router VM
Router Advertisement Address Assignment: DHCPv6 Stateless
dhcpv6 server (stateless)
Provided by OpenStack
1
2
3
Copyright ©2014 Nephos6. All Rights Reserved
Use Cases - Public Tenant Network
9
tenant network (inside)
external network side (outside)
neutron router dhcpv6 server (stateful)
Provided by OpenStack
Provided by customer
Provided by customer
VM
VMneutron router dhcpv6 server (stateless)
4
5
Router Advertisement Address Assignment: DHCPv6 Stateful
Address Assignment: DHCPv6 StatelessRouter Advertisement
Copyright ©2014 Nephos6. All Rights Reserved
Use Cases - Provider Tenant Network
10
tenant network (inside)
physical router
Provided by customer
Provided by OpenStack
Provided by Openstack
VM
VMphysical router
external network side (outside)
6
7
Router Advertisement Address Assignment: DHCPv6 Stateful
Address Assignment: DHCPv6 StatelessRouter Advertisement
dhcpv6 server (stateful)
dhcpv6 server (stateless)
Copyright ©2014 Nephos6. All Rights Reserved 11
tenant network (inside)
No external network side (outside)
physical switch
Provided by customer
Provided by OpenStack
Provided by Openstack
VM
VMphysical switch
Use Cases - Private Tenant Network
8
9
Router Advertisement Address Assignment: DHCPv6 Stateful
Address Assignment: DHCPv6 StatelessRouter Advertisement
dhcpv6 server (stateful)
dhcpv6 server (stateless)
Who Sends RA? Who Assign Address?
Network Type
OpenStack ipv6_ra_mode
OpenStack ipv6_address_mode
Description
external router
(A=1, M=0, O=0)external router off off
VM obtains IPv6 address from external router using SLAAC
external router
(A=0, M=1, O=1)
external DHCPv6 server off off VM obtains IPv6 address and optional info from external
DHCPv6 server using DHCPv6 Stateful
OpenStack dnsmasq
Private /
Provideroff dhcpv6-stateful VM obtains IPv6 address and optional info from
OpenStack dnsmasq using DHCPv6 Stateful
external router
(A=1, M=0, O=1)
external DHCPv6 server off off
VM obtains IPv6 address from external router by SLAAC and optional info from external DHCPv6 server using DHCPv6 Stateless
OpenStack dnsmasq
Private /
Provideroff dhcpv6-stateless
VM obtains IPv6 address from external router by SLAAC and optional info from OpenStack dnsmasq using DHCPv6 Stateless
OpenStack dnsmasq
(A=1, M=0, O=0)
OpenStack dnsmasq Public slaac slaac VM obtains IPv6 address from OpenStack using SLAAC
OpenStack dnsmasq
(A=0, M=1, O=1)
external DHCPv6 server Public dhcpv6-stateful off VM obtains IPv6 address and optional info from external
DHCPv6 server using DHCPv6 Stateful
OpenStack dnsmasq Public dhcpv6-stateful dhcpv6-stateful VM obtains IPv6 address and optional info from
OpenStack dnsmasq using DHCPv6 Stateful
OpenStack dnsmasq
(A=1, M=0, O=1)
external DHCPv6 server Public dhcpv6-stateless off
VM obtains IPv6 address from OpenStack by SLAAC and optional info from external DHCPv6 server using DHCPv6 Stateless
OpenStack dnsmasq Public dhcpv6-stateless dhcpv6-stateless
VM obtains IPv6 address from OpenStack by SLAAC and optional info from OpenStack dnsmasq using DHCPv6 Stateless
This table is created and submitted to Neutron IPv6 subteam by Shixiong Shang from Nephos6.
Copyright ©2014 Nephos6. All Rights Reserved
§ Separate the control of Router Advertisement from Address Assignment using two new attributes:
Design Proposal
13
Attribute Description Possible Values
ipv6_ra_mode Determine who sends RA and which AMO bits are set.
dhcpv6-stateful
dhcpv6-stateless
slaac
attr_not_specified (i.e. blank)
ipv6_address_modeDetermine how VM obtains IPv6 address, default gateway, and/or optional information
dhcpv6-stateful
dhcpv6-stateless
slaac
attr_not_specified (i.e. blank)
Copyright ©2014 Nephos6. All Rights Reserved
Implementation
14
neutron client (via cli or horizon)
Neutron API
Plugin
RabbitMQ
DHCP Agent
Controller Node
Driver (dnsmasq)Network Node
New User Interface
Translate customer
inputs to key/value pairs in
API call
Validate two attributes combination
Attach two attributes values to IPv6 subnet
Event / Task
Launch dnsmasq for IPv6 subnets based on two attributes
DB
Copyright ©2014 Nephos6. All Rights Reserved 15
Neutron Subnet Creation
neutron subnet-create --ip-version 6 --name subnet-name network-name ipv6_prefix --enable-dhcp true --ipv6_ra_mode slaac --ipv6_address_mode slaacNeutron Client
Neutron API
MySQL DB
Copyright ©2014 Nephos6. All Rights Reserved
Challenges: Public Network
16
Network Node
qdhcp namespace
ns-‐ interface 192.168.1.2
2001:db8:1:1::a:b:c
qr-‐ interface 192.168.1.1
qr-‐ interface 2001:db8:1:1::1
qrouter namespace
VM
Compute Node
vnic 192.168.1.3
2001:db8:1:1::x:y:z
4. Need ip6tables filter rules to enable ICMPv6 at inbound direction
3. OpenStack needs to know VM’s self-‐calculated IPv6 address in SLAAC case
1. Keep dnsmasq behavior intact for IPv4 subnet
IPv6 RA and/or DHCPv6
IPv4 DHCP
security policy
Switching
2. Launch a dnsmasq instance for IPv6 subnet, bind it to the qr-‐ gw interface and send RA from there. May use dnsmasq as DHCPv6 server.
Copyright ©2014 Nephos6. All Rights Reserved
Challenges: Private/Provider Network
17
Network Node
qdhcp namespace
ns-‐ interface 192.168.1.2
2001:db8:1:1::a:b:c
VM
Compute Node
vnic 192.168.1.3
2001:db8:1:1::x:y:z
2. Launch a separate dnsmasq instance for IPv6 subnet and bind it to the ns-‐ interface. Use it as DHCPv6 server without sending RA
3. Need ip6tables filter rules to enable ICMPv6 at inbound direction
1. Keep dnsmasq behavior intact for IPv4 subnet
IPv6 DHCPv6IPv4 DHCP
security policy
Switching
Copyright ©2014 Nephos6. All Rights Reserved
Icehouse Demo Setup
18
eth0
Network Node
Compute Node
Tenant Data Networks
Tenant External Network
Router
mysql db
rabbitmq
horizon
keystone
glance
swift
cinder
nova-api
nova-scheduler
nova-consoleauth
nova-novncproxy
nova-cert
nova-conductor
neutron-server
Controller Node
eth0 eth1 eth2 eth0 eth2
Management and API Networks
neutron-dhcp-agent
neutron-l3-agent
neutron-metadata-agent
openvswitch
neutron-openvswitch-agent
dnsmasq
nova-compute
openvswitch-agent
openvswitch
Copyright ©2014 Nephos6. All Rights Reserved
Icehouse Demo Setup
19
Network Node Compute Node
net1_priv1 sub1_priv1_ipv4: 192.168.1.0/24 sub1_priv1_ipv6: 2001:db8:1:1::/64
VM
OVSwitchOVSwitchOVSwitch
Neutron Router
Physical Router
192.168.1.12001:db8:1:1::1
192.168.1.d2001:db8:1:1:x:y:z:e
Copyright ©2014 Nephos6. All Rights Reserved
§ Robustness
§ ML2…friend or foe?
§ IPv6 External network
§ Prefix Delegation
§ …and more!
Next Step
24
“Any product that is not IPv6 based is legacy from day one.” -‐ Nephos6