Bug Reference

CLOUDSTACK-9853 - Getting issue details... STATUS

Introduction

Since version 4.10 there is support for IPv6 in Basic Networking, but this is limited to a single address (/128) per Instance.

The feature is that using DHCPv6 Prefix Delegation the Instances can get a subnet, for example a /60 routed to them.

A routed IPv6 subnet allows for multiple features inside Instances, not limited to, but for example:

  • (Docker) containers with native IPv6 inside a Instance
  • VPN tunnels with native IPv6

Instances will still obtain a IPv6 Address (/128) using SLAAC, this could for example be 2001:db8:100:0:9804:6f0a:990a:a798

In addition they can have a subnet of IPv6 Addresses routed to them for their applications.

Goals

The goals for IPv6 Prefix Delegation are in Basic Networking are:

  • Management server understanding address pools and handing out subnets
  • Virtual Router supporting handing out IPv6 Prefixes to Instances

Since the Virtual Router in Basic Networking does not function as a gateway it is up to the network administrator to configure (static) routes for the subnets towards the Instances.

For example: 2001:db8:200:1::/60 -> 2001:db8:100:0:9804:6f0a:990a:a798

Scope

This document only covers IPv6 Prefix Delegation where Instances are able to obtain a subnet using DHCPv6 PD.

Feature Specification

In addition to having a single IPv6 address Instances will be able to have a IPv6 subnet routed to them.

The management server will need to understand a IPv6 Address Pool from where it can assign subnets to Instances when requested.

Per POD a subnet needs to be configured from which subnets will be assigned. This will usually be a /40 of /48 subnet. When adding the subnet a size has to be configured for delegations.

This will usually be a /56 or a /60 subnet.

The Management Server needs to understand the concept of a subnet pool and in addition also be able to record which subnet belongs to which Instance.

Virtual Router

The Virtual Router will need to be able to hand out the delegated prefixes.

The DHCP Server in the VR will need to be updated to a DHCPv6 server which is capable of Prefix Delegation, which dnsmasq is not (and no support planned).

ISC Kea is a DHCPv6 server which would be capable of this.

Security Groups

The delegated subnet needs to be added to the Secondary IPs of the Instance so that the Anti-Spoof (source address filtering) rules allow packets for this subnet to go in to the instance and out of it.

Instance StartUp

During start of the Instance the Virtual Router needs to be configured to delegate the prefix using DHCPv6 and the subnet also needs to be passed to the Hypervisor in the Secondary IPs so that the Security Groups allow the traffic to flow.