Currently there is no IPv6 support in Basic Networking in CloudStack. It is all IPv4-only and with the depletion of IPv4 it's desirable that CloudStack supports IPv6 on all network types.
The goals for IPv6 in Basic Networking are:
This document only covers IPv6 connectivity for Instances. It does not cover:
The goal is Q1 2016 to have a working IPv6 implementation where Instances obtain a /128, but also get a subnet routed. A /56 for example.
The diagram below shows how this would work:
A few things are required for this to work:
When a Instance boots it sends out a Router Solicitation and it gets the information from both routers. This is done by the Network Stack of the Instance and is supported by all major Operating Systems.
Using SLAAC the Instances will obtain their IPv6 address. Linux properly uses the MAC Address to generate the IPv6 address. Only Windows has to be configured to not use the random identifier, but the MAC address.
netsh interface ipv6 set privacy state=disabled store=persistent
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
A route table on the Instance might look like this:
2001:db8:1::/64 dev eth0 proto kernel metric 256 expires 2591994sec
fe80::/64 dev eth0 proto kernel metric 256
default via fe80::20c:dbff:fef9:cf00 dev eth0 proto ra metric 1024 expires 54sec hoplimit 64
default via fe80::212:f2ff:fe9c:3300 dev eth0 proto ra metric 1024 expires 46sec hoplimit 64
Here it has two default routes via both routers. These routes were obtained by the Router Advertisements.
The Instance now has a single /128 address, but we also want to route a subnet to the Instance.
CloudStack can calculate which address an Instance will obtain. This is described in RFC4862.
With IPv4 a client is identified by it's MAC address. With IPv6 the client generates a DUID which is used for identification. Since the client generates this DUID we can not trust it.
On the hypervisor we will run a tagger which inspects outgoing DHCPv6 requests and adds the MAC address of the Instance as option 37 to the DHCPv6 request.
The DHCPv6 server will identify the client based on this option added to the packet.
RFC6939: https://tools.ietf.org/html/rfc6939
This tagger is a small daemon which knows which MAC belongs to which Instance and tag the DHCPv6 packages based on that.
The recommendation is to use ISC Kea as a DHCPv6 server.
This is ONLY for Prefix Delegation purposes. The IPv6 Address for an Instance is generated by the Instance using SLAAC.
In Basic or Direct Attached networking this DHCPv6 server has to run somewhere. It doesn't have to be in the same Layer 2 LAN, as long as the DHCPv6 requests can reach it somewhere.
This could be in a SSVM, but that is not mandatory.
In VPC/Isolated Networks the Kea DHCPv6 server can run inside the SSVM.
IPv6 also need security grouping. It is similar to IPv4:
Afterwards the security groups need additional rules, we have to allow:
ICMP is a essential part of IPv6. Blocking ICMP will break IPv6.
RFC4890 describes the general recommendations for IPv6 firewalling
Using DHCPv6 the client can request one or multiple Prefixes using Prefix Delegation. The client will be identified based on option 37 by a 'tagger' as described above.
An example dhcp6c.conf:
interface eth0 {
send ia-pd 1;
send ia-na 0;
request domain-name-servers;
request domain-name;
};
This DHCPv6 request is picked up by the routers and relayed to the DHCPv6 server.
This DHCPv6 server then replies with a /56 (configured by us) out of the /40 routed to the routers (also configured in CloudStack).
The routers see this reply come back and add a route (pseudo) to their routing table:
$ ipv6 route add 2001:db8:201:fa42:/56 fe80::5054:8fff:fe9f:af61
The reply is now relayed back to the Instance.
In CloudStack we pre-configured a few things:
RFC6355: https://tools.ietf.org/html/rfc6355
When an Instance is deployed we pick a new /60 from the /40 and record that in the database of the DHCPv6 server.
We also allow this /60 in the Security Group of the Instance (ip6tables on the hypervisor).
We should note that multiple prefixes per Instances should be allowed. DHCPv6 supports this.