OpenStack中ipv6的设计与使用的一些理论分析（未测试）( by quqi99 )

作者：张华  发表于：2013-03-29
版权声明：可以任意转载，转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明
( http://blog.csdn.net/quqi99 )

refer, Linux 用作 IPv6 网关 http://bigeagle.me/2011/11/linux_as_ipv6_gateway/

https://www.berrange.com/posts/2011/06/16/providing-ipv6-connectivity-to-virtual-guests-with-libvirt-and-kvm/

https://etherpad.openstack.org/IPV6-Support

l3-agent don't support ipv6
IPv4 address exhaustion, especially in Asia Pacific region.
- support assignment of only IPv6 address to VM.
- Configuration flag to select IPv4 mode or IPv6 mode or dual stack mode.
- Each VIF of VM is assigned both IPv6 global unicast address
- Pass-through IPv6 packets on L3-agent node.
- Firewall rule management for IPv6 traffic
- Support DNSv6
- Support IPv6 connections to all API layers.

- NTP poisoning

IPv6 evolution History

下面三张图依次显示了实现IPv6的三种模型：

1, NAT66, 即仿造现有的OpenStack IPv4实现中的NAT方式

2, ND proxy方式，本文将要叙述的

3, 路由方式，采用动态路由协议交换路由

ipv6 process
eg:
WAN: br-ex (GW: 2001:2:3:4500::1/56,  IP: 2001:2:3:45ff:ff:ff:ff:ff/128 )
LAN: br-int
VM1: 2001:2:3: 4501::/64, 2001:2:3:4501:221:70ff:fec0:ef3f
VM2: 2001:2:3: 4502::/64

br-ex: 2001:2:3:45ff:ff:ff:ff:ff/128

in physical router:

ip-6 route add 2001:2:3:4500::/56 via 2001:2:3:4500::1

in l3-agent

ip -6 route add default 2001:2:3:4500::0/56 dev qg-interface  ( for every tenant router)

ip -6 route add 2001:2:3:4501::/64 dev gw-tenant1
ip -6 route add 2001:2:3:4502::/64 dev gw-tenant2

ip -6 neigh add proxy 2001:2:3:4501:221:70ff:fec0:ef3f/64 dev gw-tenant1

ip -6 neigh add proxy 2001:2:3:4501::1 dev qg-interface
ip -6 neigh add proxy 2001:2:3:4502::1 dev qg-interface

             --------- physical router 2001:2:3:4500::1/56 -------------

.           ----------. 2001:2:3:4500::2/56   .---------------.
sixxs                        |  br-ex   (qg-interface)
                                 |         
                                  *----------*  

.----------.                                    .---------------.
|  br-eth1   |veth______________veth|    br-int     |
|          |eth0                  |               |
*----------*                      *---------------*
                           gw-tenant1 |        | gw-tenant2
                                      |        |
                   2001:2:3:4501::/64 |        | 2001:2:3:4502::/64
                                      |        |
                                 tap1 |        | tap2
                                    [VM1]   [VM2]

                          VM1: 2001:2:3:4501:221:70ff:fec0:ef3f/64

1) open ipv6 function and install radvd in the l3-agent node to allocate the ipv6 address for VM.

( dhcp-range=tag:br0,::1,::FFFF,constructor:br0, ra-names, 12h
  enable-ra )

cat /etc/radvd.conf

interface gw-tenant1 {     
   AdvSendAdvert on;
   AdvManagedFlag off;
   AdvOtherConfigFlag off;         # tell client vm if use DHCPv6 to allocate ip.
   Prefix 2001:2:3:4501::/64{      # broadcast ipv6 prefix.
     AdvOnLink on;
     AdvAutonomous on;
     AdvRouterAddr off;
   };

};

interface gw-tenant2 {     
   AdvSendAdvert on;
   AdvManagedFlag off;
   AdvOtherConfigFlag off;         # tell client vm if use DHCPv6 to allocate ip.
   Prefix 2001:2:3:4502::/64{      # broadcast ipv6 prefix.
     AdvOnLink on;
     AdvAutonomous on;
     AdvRouterAddr off;
   };
};
if useing DHCPv6 to allocate ip, dhcp6s only provide ip, not provide prefix, so it needs to collaborate with radvd:
cat /etc/dhcp6s.conf
interface br-lan {
        address-pool pool1 86400;
};
pool pool1 {
        range 2001:2:3:4500:aaaa::1 to 2001:2:3:4500:aaaa::ffff ;
}

注意：dnsmasq也是可以代替radvd的，如使用配置(http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html)：

dnsmasq
enable-ra, 告诉dnsmasq使用ipv6前缀
dhcp-range,
   ra-only, dnsmasq发RA广播，但不使用DHCPv6
   slaac, dnsmasq发RA广播，并设置A-bit这样客户端能生成SLAAC地址

   ra-stateless, dnsmasq发RA广播，并设置O-bit与A-bit这样客户端生成SLAAC地址并使用DHCP检索其他信息

ND协议包中有三个位(Auto, Managed, Other)：

• M bit (Managed Address Configuration), M bit 如果是 1,表示 Clients 要另外再去跟 DHCPv6 要 IPv6 Prefix
• O bit (Other Configuration), O bit 如果是 1,表示 Clients 要去跟 DHCPv6 要 DNS 等等資訊.

这样：

• slaas, Stateless autoconfiguration, A=1, M=0, O=0, 主机將只得到 Router 給的 Prefix,無法取得 DNS 等資訊,其他必須自己填寫.
• dhcpv6-stateful, A=0, M=1, O=1, 所有信息（IPv6 prefix, DNS等）都通过DHCPv6获得類似於 IPv4 的 DHCP ,客戶端主要使用 UDP port 546 而服務器端使用 UDP port 547 
• 
  
• dhcpv6-stateless,A=1, M=0, O=1, 除了使用 RA 裡面的 Prefix,其他如 DNS 等等資訊會由 DHCPv6 取得. 如下图所示:

相应地，Neutron提供了两个属性

• ipv6_ra_mode: 置位slaas, dhcpv6-stateful, dhcpv6-stateless后即使用Neutron radvd， 不置位使用外部路由器
• ipv6_address_mode: 置位slaas, dhcpv6-stateful, dhcpv6-stateless决定上述ND协议包中的三个位.

OpenStack创建这三类网络对应的CLI命令演示如下：

neutron net-create public --router:external
neutron subnet-create --name public-subnet --allocation-pool start=172.16.12.5,end=172.16.12.254 public 172.16.12.0/24

neutron subnet-create  --ip-version=6 --name=public-v6-subnet --allocation-pool start=2001:db8:cafe:d::5,end=2001:db8:cafe:d:ffff:ffff:ffff:fffe --disable-dhcp public 2001:db8:cafe:d::/64

neutron net-create private
neutron subnet-create --ip-version=6 --name=private_v6_subnet  --ipv6-address-mode=slaac --ipv6-ra-mode=slaac private 2001:db8:cafe::/64

neutron net-create private-dhcpv6
neutron subnet-create --ip-version=6 --name=private_dhcpv6_subnet  --ipv6-address-mode=dhcpv6-stateful --ipv6-ra-mode=dhcpv6-stateful private-dhcpv6 2001:db8:cafe:1::/64 --dns-nameserver 2001:db8:cafe:a::e

neutron net-create private-dhcpv6-stateless
neutron subnet-create --ip-version=6 --name=private_dhcpv6_stateless_subnet  --ipv6-address-mode=dhcpv6-stateless --ipv6-ra-mode=dhcpv6-stateless private-dhcpv6-stateless 2001:db8:cafe:2::/64 --dns-nameserver 2001:db8:cafe:a::e

neutron router-create router
neutron router-gateway-set router public
neutron router-interface-add router private_v4_subnet
neutron router-interface-add router private_v6_subnet

2) configure router for VM
sysctl -w net.ipv6.conf.all.forwarding=1
ip -6 addr add 2001:2:3:4501:221:70ff:fec0:ef3f/64  dev tap1

ip -6 addr add 2001:2:3:45ff:ff:ff:ff:ff/128  dev qg-interface
ip -6 route add default 2001:2:3:4500::1/56 dev qg-interface

ip address add 2001:2:3:4501::1 dev gw-tenant1
ip address add 2001:2:3:4502::1 dev gw-tenant2
ip -6 route add 2001:2:3:4501::/64 dev gw-tenant1
ip -6 route add 2001:2:3:4502::/64 dev gw-tenant2

ip -6 route list

3) install NDP protocal in the l3-agent node to tell it's address space to upstream network
sysctl -w net.ipv6.conf.all.proxy_ndp=1
ip -6 neigh add proxy 2001:2:3:4501:221:70ff:fec0:ef3f/64 dev gw-tenant1

# is prepared for the hardware router in the front of br-ex
ip -6 neigh add proxy 2001:2:3:4501::1 dev br-ex
ip -6 neigh add proxy 2001:2:3:4502::1 dev br-ex

if no haredware router, we can continue to demo this env user radvd.
ifconfig eth0 promisc

how to test,
1) curl --verbose -6http://localhost
2) tcpdump -ni <interface> ip6

noteson openstack ipv6 support (untested)
1, ipv6 support is not activated in /etc/nova/nova.conf, --use_ipv6=True
2, fixed ip,
nova-manage network create--label=myown \
--vlan=2511 \
--fixed_range_v4=10.145.230.0/24\
--fixed_range_v6=2a01:4f8:161:5304::0/64 \
--gateway_v6=fe80::1 \
--num_networks=1
3, floating ip,
nova-manage floating create --pool=v6pool --ip_range=2a01:4f8:161:5304::10--interface=eth0

if useing DHCPv6 to allocate ip, dhcp6s only provide ip, not provide prefix, so it needs to collaborate with radvd:
cat /etc/dhcp6s.conf
interface br-lan {
        address-pool pool1 86400;
};
pool pool1 {
        range 2001:2:3:4500:aaaa::1 to 2001:2:3:4500:aaaa::ffff ;
}

2) configure router for VM

上面配置了默认路由后，内部网络就可以访问外部网络了，但外网无法得知内网的路由。由于没向ISP申请单独的IPv6块，这里不可能在外网上添加路由，但是：

1,内网与外网同属同一个子网，不可以配置路由向外网广播路由信息包，这样会造成路由混乱。但可以通过proxy_ndp让外网的ndp请求穿过网关。

2,内网与外网不属于同一个子网的话，可以配置路由向外网广播路由信息包，这样就不需要配置proxy_ndp了

注: 路由器是按最大字符长度匹配算法来匹配路由的, 所以前缀相同, 子网长度不同的子网算不同的网段. 所以对于不同子网, 加了路由之后, 下面的就不需要再加ndp_proxy了.

外面发给虚机（2001:2:3:4501:221:70ff:fec0:ef3f/64）的包, 由于前56位是可以路由的，所以先发给br-ex（2001:2:3:4500::2/56），然后br-ex接口所在路由器上没有2001:2:3:4501:221::0/64的转发表，所以它认为该目的IP为
2001:2:3:4500::0/56网络下的主机，直接向2001:2:3:4500::2/56网络组播NS包，ND proxy发现该包是通向自己内部的主机，于是对该NS进行代理 ，将其转发到内部网络2001:2:3:4501:221::0/64中的主机，这样ND proxy就可以获得目的主机的MAC，本地路由器就可以获得ND proxy的MAC，因此，数据包就可以发送到内网虚拟机。

sysctl -w net.ipv6.conf.all.forwarding=1

ip -6 addr add 2001:2:3:4501:221:70ff:fec0:ef3f/64  dev tap1

ip -6 addr add 2001:2:3:45ff:ff:ff:ff:ff/128  dev qg-interface
ip -6 route add default 2001:2:3:4500::1/56 dev qg-interface

ip address add 2001:2:3:4501::1 dev gw-tenant1
ip address add 2001:2:3:4502::1 dev gw-tenant2

ip -6 route add 2001:2:3:4501::/64 dev gw-tenant1
ip -6 route add 2001:2:3:4502::/64 dev gw-tenant2

ip -6 route list

3) install NDP protocal in the l3-agent node to tell it's address space to upstream network
sysctl -w net.ipv6.conf.all.proxy_ndp=1
ip -6 neigh add proxy 2001:2:3:4501:221:70ff:fec0:ef3f/64 dev gw-tenant1

ip -6 neigh add proxy 2001:2:3:4501::1 dev qg-interface
ip -6 neigh add proxy 2001:2:3:4502::1 dev qg-interface

ifconfig eth0 promisc

how to test,
1) curl --verbose -6http://localhost
2) tcpdump -ni <interface> ip6

noteson openstack ipv6 support (untested)
1, ipv6 support is not activated in /etc/nova/nova.conf, --use_ipv6=True

2, fixed ip,
nova-manage network create--label=myown \
--vlan=2511 \
--fixed_range_v4=10.145.230.0/24\
--fixed_range_v6=2a01:4f8:161:5304::0/64 \
--gateway_v6=fe80::1 \
--num_networks=1

3, floating ip,

nova-managefloating create --pool=v6pool --ip_range=2a01:4f8:161:5304::10--interface=eth0

Devstack集成

1, 测试环境准备

因为家中是移动宽带，没有公网IP，所以网上的一些ipv6 6to4 tunnel是用不了的。为此将openwrt中的WAN6口删除，然后点击"Network -> Interfaces"菜单配置IPv6 ULA-Prefix=2001:2:3:4500::/56（它会修改配置/etc/config/radvd），并在WAN口中配置IPv6 Setting(Router Advertisement-Service=server mode, DHCPv6-Service
=server mode, NDP-Proxy=disabled [5], DHCPv6-Mode=stateless+stateful)。
这样家中的电脑会获取到类似2001:2:3:4500:c12c:6b76:fa2e:74ee/64的IPv6地址， 同时openwrt的br-lan口会有网关地址2001:2:3:4500::1/60

vi /etc/network/interfaces
allow-ovs br-phy 
iface br-phy inet dhcp 
ovs_type OVSBridge 
ovs_ports eth0 

2, devstack配置

#IPv6 tenant network
IP_VERSION=6
IPV6_RA_MODE=slaac
IPV6_ADDRESS_MODE=slaac
FIXED_RANGE_V6=2001:2:3:4500::/64
IPV6_PRIVATE_NETWORK_GATEWAY=2001:2:3:4500::1
HOST_IPV6=2001:2:3:4500:fa32:e4ff:febe:87cd
#IPv6 management network
SERVICE_IP_VERSION=6
SERVICE_HOST=[$HOST_IPV6]
MYSQL_HOST=$HOST_IPV6

3, 环境变量

export OS_USERNAME=admin
export OS_PASSWORD=password
export OS_TENANT_NAME=demo
export OS_AUTH_URL=http://[2001:2:3:4500:fa32:e4ff:febe:87cd]/v2.0
export OS_AUTH_STRATEGY=keystone

4, 问题， memcached中报错：ValueError: Unable to parse connection string: [2001:2:3:4500:fa32:e4ff:febe:87cd]:11211

diff --git a/lib/keystone b/lib/keystone
index 5695004..55b581f 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -490,7 +490,7 @@ function configure_auth_token_middleware {
     iniset $conf_file $section auth_uri $KEYSTONE_SERVICE_URI
     iniset $conf_file $section cafile $SSL_BUNDLE_FILE
     iniset $conf_file $section signing_dir $signing_dir
-    iniset $conf_file $section memcached_servers $SERVICE_HOST:11211
+    iniset $conf_file $section memcached_servers inet6:${SERVICE_HOST}:11211
 }

BGP+IPv6

Tenant使用Tenant Private IPv6 network的话由于没有floating ip功能子网之间无法互联，可以用多个public IPv6 prefixes创建一个subnet-pool, 在物理路由器上配置这些IPv6 prefixes之间互联，并且配置物理dhcp服务器采用prefix delegation(不支持dhcpv6-stateful)自动给虚机分配IPv6 prefixes. 另一种方式是采用基于BGP的动态路由。


#Create two pools default-pool-ip6(2001:db8:1234::/48) and public-pool(2001:db8:4321:42::/64).
neutron address-scope-create --shared address-scope-ip6 6
neutron subnetpool-create --address-scope address-scope-ip6 --shared --pool-prefix 2001:db8:1234::/48 --default-prefixlen 64 --max-prefixlen 64 --is-default true default-pool-ip6 
neutron subnetpool-create --address-scope address-scope-ip6 --pool-prefix 2001:db8:4321:42::/64 --default-prefixlen 64 public-pool


#Create our public network and the IPv6 subnet on the two pools:
neutron net-create --provider:network_type flat --provider:physical_network external --router:external=True public
neutron subnet-create --name public-ip6 --ip_version 6 --subnetpool public-pool public
neutron net-create pronet
neutron subnet-create --name subnet6 --ip_version 6 --use-default-subnetpool --ipv6-address-mode slaac --ipv6-ra-mode slaac pronet


#Create router and VM
neutron router-create router1
neutron router-interface-add <router1 pronet_subnet_id>
neutron router-gateway-set router1 public
nova boot --flavor 1 --image cirros vm1


1, neutron.conf
service_plugins = bgp, router


2, BGP setup
neutron bgp-speaker-create --ip-version 6 --local-as 65001 --advertise-floating-ip-host-routes false bgp1
neutron bgp-speaker-network-add bgp1 public
neutron bgp-peer-create --peer-ip 2001:db8:4321:e0::1 --remote-as 65001 bgp-peer1
neutron bgp-speaker-peer-add bgp1 bgp-peer1


3, BGP agent
sudo apt install neutron-bgp-dragent python-ryu
neutron bgp-dragent-speaker-add <bgp-agent-id> bgp1
vi /etc/neutron/bgp_dragent.ini
[BGP]
# BGP speaker driver class to be instantiated. (string value)
bgp_speaker_driver = neutron.services.bgp.driver.ryu.driver.RyuBgpDriver
# 32-bit BGP identifier, typically an IPv4 address owned by the system running
# the BGP DrAgent. (string value)
bgp_router_id = 10.11.12.13


4, 验证， bird配置文件如下：
protocol bgp {
  local as 65001;
  neighbor 2001:db8:4321:e0::42 as 65001;
}
bird> show proto bgp1
name     proto    table    state  since       info
bgp1     BGP      master   up     12:06:50    Established   
bird> show route 2001:db8:1234:1::/64
2001:db8:1234:1::/64 via 2001:db8:4321:2::5 on ens3 [bgp1 12:06:50 from 2001:db8:4321:e0::42] * (100/0) [i]
router01:~$ ping6 -c3  2001:db8:1234:1:f816:3eff:fecd:6bf4
PING 2001:db8:1234:1:f816:3eff:fecd:6bf4(2001:db8:1234:1:f816:3eff:fecd:6bf4) 56 data bytes
64 bytes from 2001:db8:1234:1:f816:3eff:fecd:6bf4: icmp_seq=1 ttl=63 time=1.80 ms

Reference

http://blog.sina.com.cn/s/blog_4afa958f0101cm5z.html

http://www.docin.com/p-1014142107.html

http://blogs.rdoproject.org/7199/journey-of-ipv6-in-openstack

https://cloudbau.github.io/openstack/neutron/networking/2016/05/17/neutron-ipv6.html