cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gabriel Beims Bräscher <gabrasc...@gmail.com>
Subject Re: IPv6 Support
Date Wed, 11 Nov 2020 14:19:59 GMT
I might get a bit redundant here, but here follows my 2 cents on IPv6 +
CloudStack.

Andrija is right. IPv6 works on Zones with Advanced Network + Security
Groups + KVM.
The documentation [1] also raised support provided by XenServer, but to be
honest I have no experience with IPv6 + XenServer to comment about it.

To deploy IPv6 networks, you must deploy a Zone with advanced network +
security group setting the IPV6 fileds (DNS); if IPv6 enabled networks are
created but the Zone hasn't IPv6 DNS1 or DNS2 configured then *dnsmasq*
inside the Virtual Router does not start.

In such a network setup it is possible to deploy multiple shared guest
networks, isolated via VLAN/VXLAN. These networks can be configured with
only IPv4 addresses, or IPv4 + IPv6; on the second case the IPv4 address
could be a either a private IP (e.g. 10.1.1.1) or a public IP; all VMs then
have a public IPv6 address.

CloudStack IPv6 + Security Group is implemented using Stateless address
autoconfiguration (*SLAAC*), which requires each network to have a /64
address block; nat/port forwarding is not necessary therefore.

Why using Security Group? This happens due to the fact that so far all IPv6
ACLs are handled by implementations on hypervisor (security group
implementation) instead of VRs/VPCs.

Eric Lee Green is right as well; I don't see anyone implementing IPv6 for
NAT. Implementing it on VR is possible but adds quite a lot of complexity,
it would be easier to have a mix of both worlds; e.g. NAT, VPCs for IPv4
networks, and Security Groups for IPv6 networks using SLAAC.

[1] http://docs.cloudstack.apache.org/en/latest/plugins/ipv6.html

Em qua., 11 de nov. de 2020 às 08:54, Eric Lee Green <
eric.lee.green@gmail.com> escreveu:

> On 11/11/2020 2:01 AM, Hean Seng wrote:
> > IPv6 do not have NAT , each VM suppose to have indiviual Ipv6 Address.
>
> NAT66 does in fact exist, and the virtual routers used for VLANs could
> in fact be configured with RADV to provide an IETF RFC4193 SLAAC prefix
> to private VPC networks then use NAT66 to communicate with the rest of
> the IPv6 Internet via a SLAAC-configured IPv6 address on the virtual
> router's public interface. They are not currently so configured, but all
> the stuff to do it is already there in the base Debian distribution used
> for the virtual routers.
>
> Port forwarding would require changes to the virtual router to allow
> IPv6 port forwarding (as well as likely allowing a fixed IPv6 address
> for the virtual router rather than SLAAC).
>
> DHCPv6 to advertise IPv6 DNS servers would be the other part of that
> equation.
>
> Routing public subnets would require significant work, since the virtual
> routers would need to advertise routes upstream to whatever layer 3
> switch or router routes things to and from the Internet. In addition
> security would require disabling incoming IPv6 connections to the
> advertised subnet except to specific instances that have a hole poked in
> the firewall allowing incoming IPv6. It is unlikely that anybody is
> going to bother implementing this anytime soon, since NAT66 works fine
> for Cloudstack's purposes and is significantly easier to implement since
> it doesn't require upstream routers to accept route advertisements from
> virtual routers.
>
> >
> > For NAT zone,  is that any way to allocate IPv6 subnet ?
> >
> >
> >
> >
> >
> >
> >
> > On Tue, Nov 10, 2020 at 3:51 PM Andrija Panic <andrija.panic@gmail.com>
> > wrote:
> >
> >> If not mistaken, ipv6 is only supported for Shared Networks, and not for
> >> Isolated/VPC networks.
> >>
> >> On Tue, 3 Nov 2020 at 04:31, Hean Seng <heanseng@gmail.com> wrote:
> >>
> >>> Hi
> >>>
> >>> Is that anyone have a idea of best way implementing ipv6 in cloudstack
> ?
> >>>
> >>> I saw the doc, and mentioned create another SharedGuestNework in
> >>> AdvanceZone, and assigned ipv6 /64 network there.
> >>>
> >>> However, I not quite understand is in Advancezone with NAT (public ip,
> >>> isolated vlan), the network of  the VM is  their own LAN IP and
> isolated
> >> by
> >>> VLAN or VXLAN.   How can we assign Ipv6 over there?     Or shall we
> >> create
> >>> another SharedGuestNetwork with another VLAN , and assign another
> >>> GuestNetwork manually to the VM ?  But then, the VM become 2 network.
> Is
> >>> that the way to do ?
> >>>
> >>>
> >>> --
> >>> Regards,
> >>> Hean Seng
> >>>
> >>
> >> --
> >>
> >> Andrija Panić
> >>
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message