OpenStack中ipv6的设计与使用的一些理论分析（未测试）( by quqi99 )

作者：张华  发表于：2013-03-29
版权声明：可以任意转载，转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明
( http://blog.csdn.net/quqi99 )

refer, Linux 用作 IPv6 网关 http://bigeagle.me/2011/11/linux_as_ipv6_gateway/

https://www.berrange.com/posts/2011/06/16/providing-ipv6-connectivity-to-virtual-guests-with-libvirt-and-kvm/

https://etherpad.openstack.org/IPV6-Support

l3-agent don't support ipv6
IPv4 address exhaustion, especially in Asia Pacific region.
- support assignment of only IPv6 address to VM.
- Configuration flag to select IPv4 mode or IPv6 mode or dual stack mode.
- Each VIF of VM is assigned both IPv6 global unicast address
- Pass-through IPv6 packets on L3-agent node.
- Firewall rule management for IPv6 traffic
- Support DNSv6
- Support IPv6 connections to all API layers.
- NTP poisoning

ipv6 process
eg:
WAN: br-ex (GW: 2001:2:3:4500::1/56,  IP: 2001:2:3:45ff:ff:ff:ff:ff/128 )
LAN: br-int
VM1: 2001:2:3: 4501::/64, 2001:2:3:4501:221:70ff:fec0:ef3f
VM2: 2001:2:3: 4502::/64

br-ex: 2001:2:3:45ff:ff:ff:ff:ff/128

in physical router:

ip-6 route add 2001:2:3:4500::/56 via 2001:2:3:4500::1

in l3-agent

ip -6 route add default 2001:2:3:4500::0/56 dev qg-interface  ( for every tenant router)

ip -6 route add 2001:2:3:4501::/64 dev gw-tenant1
ip -6 route add 2001:2:3:4502::/64 dev gw-tenant2

ip -6 neigh add proxy 2001:2:3:4501:221:70ff:fec0:ef3f/64 dev gw-tenant1

ip -6 neigh add proxy 2001:2:3:4501::1 dev qg-interface
ip -6 neigh add proxy 2001:2:3:4502::1 dev qg-interface

             --------- physical router 2001:2:3:4500::1/56 -------------

.           ----------. 2001:2:3:4500::2/56   .---------------.
sixxs                        |  br-ex   (qg-interface)
                                 |         
                                  *----------*  

.----------.                                    .---------------.
|  br-eth1   |veth______________veth|    br-int     |
|          |eth0                  |               |
*----------*                      *---------------*
                           gw-tenant1 |        | gw-tenant2
                                      |        |
                   2001:2:3:4501::/64 |        | 2001:2:3:4502::/64
                                      |        |
                                 tap1 |        | tap2
                                    [VM1]   [VM2]

                          VM1: 2001:2:3:4501:221:70ff:fec0:ef3f/64

1) open ipv6 function and install radvd in the l3-agent node to allocate the ipv6 address for VM.

( dhcp-range=tag:br0,::1,::FFFF,constructor:br0, ra-names, 12h
  enable-ra )

cat /etc/radvd.conf

interface gw-tenant1 {     
   AdvSendAdvert on;
   AdvManagedFlag off;
   AdvOtherConfigFlag off;         # tell client vm if use DHCPv6 to allocate ip.
   Prefix 2001:2:3:4501::/64{      # broadcast ipv6 prefix.
     AdvOnLink on;
     AdvAutonomous on;
     AdvRouterAddr off;
   };

};

interface gw-tenant2 {     
   AdvSendAdvert on;
   AdvManagedFlag off;
   AdvOtherConfigFlag off;         # tell client vm if use DHCPv6 to allocate ip.
   Prefix 2001:2:3:4502::/64{      # broadcast ipv6 prefix.
     AdvOnLink on;
     AdvAutonomous on;
     AdvRouterAddr off;
   };
};
if useing DHCPv6 to allocate ip, dhcp6s only provide ip, not provide prefix, so it needs to collaborate with radvd:
cat /etc/dhcp6s.conf
interface br-lan {
        address-pool pool1 86400;
};
pool pool1 {
        range 2001:2:3:4500:aaaa::1 to 2001:2:3:4500:aaaa::ffff ;
}

注意：dnsmasq也是可以代替radvd的，如使用配置(http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html)：

dnsmasq
enable-ra, 告诉dnsmasq使用ipv6前缀
dhcp-range,
   ra-only, dnsmasq发RA广播，但不使用DHCPv6
   slaac, dnsmasq发RA广播，并设置A-bit这样客户端能生成SLAAC地址
   ra-stateless, dnsmasq发RA广播，并设置O-bit与A-bit这样客户端生成SLAAC地址并使用DHCP检索其他信息

2) configure router for VM
sysctl -w net.ipv6.conf.all.forwarding=1
ip -6 addr add 2001:2:3:4501:221:70ff:fec0:ef3f/64  dev tap1

ip -6 addr add 2001:2:3:45ff:ff:ff:ff:ff/128  dev qg-interface
ip -6 route add default 2001:2:3:4500::1/56 dev qg-interface

ip address add 2001:2:3:4501::1 dev gw-tenant1
ip address add 2001:2:3:4502::1 dev gw-tenant2
ip -6 route add 2001:2:3:4501::/64 dev gw-tenant1
ip -6 route add 2001:2:3:4502::/64 dev gw-tenant2

ip -6 route list

3) install NDP protocal in the l3-agent node to tell it's address space to upstream network
sysctl -w net.ipv6.conf.all.proxy_ndp=1
ip -6 neigh add proxy 2001:2:3:4501:221:70ff:fec0:ef3f/64 dev gw-tenant1

# is prepared for the hardware router in the front of br-ex
ip -6 neigh add proxy 2001:2:3:4501::1 dev br-ex
ip -6 neigh add proxy 2001:2:3:4502::1 dev br-ex

if no haredware router, we can continue to demo this env user radvd.
ifconfig eth0 promisc

how to test,
1) curl --verbose -6http://localhost
2) tcpdump -ni <interface> ip6

noteson openstack ipv6 support (untested)
1, ipv6 support is not activated in /etc/nova/nova.conf, --use_ipv6=True
2, fixed ip,
nova-manage network create--label=myown \
--vlan=2511 \
--fixed_range_v4=10.145.230.0/24\
--fixed_range_v6=2a01:4f8:161:5304::0/64 \
--gateway_v6=fe80::1 \
--num_networks=1
3, floating ip,
nova-manage floating create --pool=v6pool --ip_range=2a01:4f8:161:5304::10--interface=eth0

if useing DHCPv6 to allocate ip, dhcp6s only provide ip, not provide prefix, so it needs to collaborate with radvd:
cat /etc/dhcp6s.conf
interface br-lan {
        address-pool pool1 86400;
};
pool pool1 {
        range 2001:2:3:4500:aaaa::1 to 2001:2:3:4500:aaaa::ffff ;
}

2) configure router for VM

上面配置了默认路由后，内部网络就可以访问外部网络了，但外网无法得知内网的路由。由于没向ISP申请单独的IPv6块，这里不可能在外网上添加路由，但是：

1,内网与外网同属同一个子网，不可以配置路由向外网广播路由信息包，这样会造成路由混乱。但可以通过proxy_ndp让外网的ndp请求穿过网关。

2,内网与外网不属于同一个子网的话，可以配置路由向外网广播路由信息包，这样就不需要配置proxy_ndp了

注: 路由器是按最大字符长度匹配算法来匹配路由的, 所以前缀相同, 子网长度不同的子网算不同的网段. 所以对于不同子网, 加了路由之后, 下面的就不需要再加ndp_proxy了.

sysctl -w net.ipv6.conf.all.forwarding=1

ip -6 addr add 2001:2:3:4501:221:70ff:fec0:ef3f/64  dev tap1

ip -6 addr add 2001:2:3:45ff:ff:ff:ff:ff/128  dev qg-interface
ip -6 route add default 2001:2:3:4500::1/56 dev qg-interface

ip address add 2001:2:3:4501::1 dev gw-tenant1
ip address add 2001:2:3:4502::1 dev gw-tenant2

ip -6 route add 2001:2:3:4501::/64 dev gw-tenant1
ip -6 route add 2001:2:3:4502::/64 dev gw-tenant2

ip -6 route list

3) install NDP protocal in the l3-agent node to tell it's address space to upstream network
sysctl -w net.ipv6.conf.all.proxy_ndp=1
ip -6 neigh add proxy 2001:2:3:4501:221:70ff:fec0:ef3f/64 dev gw-tenant1

ip -6 neigh add proxy 2001:2:3:4501::1 dev qg-interface
ip -6 neigh add proxy 2001:2:3:4502::1 dev qg-interface

ifconfig eth0 promisc

how to test,
1) curl --verbose -6http://localhost
2) tcpdump -ni <interface> ip6

noteson openstack ipv6 support (untested)
1, ipv6 support is not activated in /etc/nova/nova.conf, --use_ipv6=True

2, fixed ip,
nova-manage network create--label=myown \
--vlan=2511 \
--fixed_range_v4=10.145.230.0/24\
--fixed_range_v6=2a01:4f8:161:5304::0/64 \
--gateway_v6=fe80::1 \
--num_networks=1

3, floating ip,

nova-managefloating create --pool=v6pool --ip_range=2a01:4f8:161:5304::10--interface=eth0

Reference

http://blog.sina.com.cn/s/blog_4afa958f0101cm5z.html