| Table of Contents | ||
|---|---|---|
|
Our openstack clouds are set up with addressing-resources allowing us to assign IPv6-prefixes to openstack-internal networks. The IPv6-addresses assigned will be globally unique, and also globally reachable. The following page guides you through the steps needed to get globally routed IPv6-addresses on your openstack network.
Using the web interface
As there are services within openstack which requires IPv4 to work (cloud-init) it is a good idea to dual-stack when you need IPv6. The first steps would thus be to create a network with an IPv4 subnet.
Create a network with an IPv4 subnet
In horizon, navigate to "Network" → "Networks" and click the "Create Network" button.
Give the network a sensible name in the "Network" tab, and navigate to the "Subnet" tab to give the subnet a name and some IP-addresses.
After the network is created, it should be visible in the "Networks" list
Create an IPv6 subnet
To add an IPv6 subnetyou first need to open the networks-page (picture above) and click on the network-name of the network where you want IPv6. Select the "Subnet" tab, and click the "create subnet" button.
Give the new subnet a sensible name. In the "Network ADdress Source" you would need to select "Allocate Network ADdress from a pool". After selecting that you are able to select the "selfservice-ipv6" pool. At the "Subnet Details" tab you should make sure to select the "SLAAC: ADdress discovered from Openstack Routers" address configuration mode, as most of our images expects to be able to use SLAAC.
After creating the second subnet you should see both the IPv4 and IPv6 subnet at the Network page.
Connect the subnetworks to the rest of the world.
To actually use the recently created networks you would need to connect them to the world. This can be acheved through creating a router. Navigate to "Network" → "Routers" and click the "Create Router" button.
Give the router a sensible name, select an External network, and click the "Create Router" button.
After the router is created, it is visible in horizon. Click the router's name to open its configuration-page.
Use the "Add Interface" button to connect the router to a subnet.
Make sure to connect the router to both the ipv4 and the ipv6 subnet.
When the status-screen shows both the interfaces as "Active" you are finished.
At that point it is possible for you to ping the routers IP within your subnet.
VM's in this subnet will now get an IPv6 address. If the security-group of the VM allows IPv6-access you should be able to reach it through IPv6.
Using the command line clients
Creating an IPv4 subnet, and give it external access
When creating a network in openstack using the cli clients; it is common to do something like so:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
$ openstack network create DemoNet
$ openstack subnet create --subnet-range 192.168.1.0/24 --network DemoNet DemoNet-v4
$ openstack router create DemoRouter
$ openstack router set --external-gateway ntnu-internal DemoRouter
$ openstack router add subnet DemoRouter DemoNet-v4 |
The essence is that we create a network (DemoNet), and to this network we create a subnet (DemoNet-v4) for IPv4 addresses. This subnet is using local RFC 1918 addresses. We then create a router (DemoRouter), which we use to connect the subnet to the rest of the world (ext-net). To "hide" our local addresses, the router would run NAT.
Creating an IPv6 subnet
There are one important key difference between the IPv4 and the IPv6 subnets; IPv4 uses local addresses which allows you to select whichever addresses you like while still being able to route traffic externally using NAT. In IPv6 we use global addresses; which means that each virtual network in the cloud needs unique addresses. This allows the virtual machines to get global addresses directly, and it removes the need for NAT.
As the IPv6 addresses are globally unique you cannot assign them manually; but you will need to get then assigned to you by openstack. To see if your openstack-platform have addresses for assignment you can use the following command:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
$ openstack subnet pool list
|
Openstack allows you to create networks addressed with IPv6. SkyHiGh is configured with global routable IPv6 prefixes, and this article is about to explain how you can create a virtual network with global routable IPv6 addresses.
| Status | ||||
|---|---|---|---|---|
|
| Table of Contents | ||
|---|---|---|
|
Using the web interface
Unfortunatley this is currently only possible using the command line clients.
Using the command line clients
Creating an IPv4 subnet, and give it external access
When creating a network in openstack using the cli clients; it is common to do something like so:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
$ openstack network create DemoNet
$ openstack subnet create --subnet-range 192.168.1.0/24 --network DemoNet DemoNet-v4
$ openstack router create DemoRouter
$ neutron router-gateway-set DemoRouter ext-net
$ openstack router add subnet DemoRouter DemoNet-v4 |
The essence is that we create a network (DemoNet), and to this network we create a subnet (DemoNet-v4) for IPv4 addresses. This subnet is using local RFC 1918 addresses. We then create a router (DemoRouter), which we use to connect the subnet to the rest of the world (ext-net). To "hide" our local addresses, the router would run NAT.
Creating an IPv6 subnet
There are one important key difference between the IPv4 and the IPv6 subnets; IPv4 uses local addresses which allows you to select whichever addresses you like while still being able to route traffic externally using NAT. In IPv6 we use global addresses; which means that each virtual network in the cloud needs unique addresses. This allows the virtual machines to get global addresses directly, and it removes the need for NAT.
To create a IPv6 subnet named "DemoNet-v6" attached to the network "DemoNet", you would use the following command:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
$ openstack subnet create --ip-version 6 --ipv6-ra-mode slaac --ipv6-address-mode slaac --use-default-subnet-pool --network DemoNet DemoNet-v6 +------------------------+--------------------------------------+ | Field | Value | +------------------------+--------------------------------------+ | allocation_pools | ::2-::ffff:ffff:ffff:ffff ------------------+-------------------------+ | ID | | cidr | ::/64 | Name | ... | name Prefixes | DemoNet-v6 | | network_id | b3f3d1c6-5e1c-49a0-8a3c-4f706745fac9 | ... | subnetpool_id | prefix_delegation | | updated_at | 2017-08-10T08:20:26Z | | use_default_subnetpool | True | +---- +--------------------------------------+------------------+-------------------------+ | 776f3d48-f65c-40fc-8eeb-115f2d060195 | selfservice-ipv6 | 2001:700:1d00:ea00::/55 | +--------------------------------------+---------------------+--------------------------------------+ |
At this point you have an IPv6 subnet which is addressed using a temporary IPv6 prefix as a placeholder until the subnet gets a proper IPv6 prefix assigned.
Connecting an IPv6 subnet to the world.
The IPv6 subnet is connected to the world using a router; the same way as IPv4 subnets. When an IPv6 network is connected to a router (which has an external gateway set), the router would request to get an IPv6 prefix to assign to the subnet.
| Status | ||||
|---|---|---|---|---|
|
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
$ openstack router add subnet DemoRouter DemoNet-v6 |
Verify the configuration
After connecting the IPv6 subnet to an external router, and giving the prefix-delegation some time (a minute or so) to do its work, you could verify that a global unique prefix is delegated to your subnet:
To create a IPv6 subnet named "DemoNet-v6" attached to the network "DemoNet" with addresses from the subnet-pool "selfservice-ipv6" you would use the following command:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
$ openstack subnet create --subnet-pool selfservice-ipv6 --ip-version 6 --ipv6-ra-mode slaac --ipv6-address-mode slaac --network DemoNet DemoNet-v6
+----------------------+------ | ||||||
| Code Block | ||||||
| ||||||
eigilo@access:~$ openstack subnet show DemoNet-v6 +-------------------+--------------------------------------------------------------+ | Field --------------+ | Field | Value | +------------- | +----------------------+-----------------------------------------------------------------+ | allocation_pools | 2001------------------------------------+ | allocation_pools | 2001:700:1d00:e88aea07::2-2001:700:1d00:e88aea07:ffff:ffff:ffff:ffff | | cidr | 2001:700:1d00:e88a::/64 | | cidr | ... | gateway_ip | 2001:700:1d00:e88aea07::1/64 | | host_routes | | ... | gateway_ip | 2001:700:1d00:ea07::1 | | id | 7b242c30-40e2-4727-83d7-18e5bbe18a8a | | ip_version | 6 | ... | id | 97c4f25a-0765-4d55-918c-39b762500264 | | ipv6_address_mode | slaac | | ip_version | 6 | | ipv6_ra_mode | slaac | | name | DemoNet-v6 | | ipv6_address_mode | slaac | ... +-------------------+--------------------------------------------------------------+ |
Configuring incoming access over IPv6
After an IPv6 subnet is created it is important to update the access groups if one wants to allow external access to the virtual machines over IPv6.
Allow incoming SSH
To allow any host at NTNU in Gjøvik to log in to your virtual machines over SSH you would need to add the following rule to the security-group assigned to the VM (The examples adds the rule to the group 'default'):
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
$ openstack security group rule create --src-ip '2001:700:1d00::/48' --dst-port 22 --ethertype IPv6 --protocol tcp default |
It is important to emphasize that the IPv6 addresses are global routable. This means that they are "directly" connected to the internet. It is thus important with proper firewalling. You should therfore ONLY open what is needed trough the security groups, to the addresses needed. For example should SSH (TCP port 22) only be opened for networks which needs to log in to your VM's. Please see the section "IPv6 address prefixes" to see what prefixes which entities are using. If you miss some organisations here; please ask and we will try to figure out their address ranges.
IPv6 address prefixes
This section covers which IPv6 addresses certain organizations are using; to help you create proper IPv6 access group rules.
NTNU:
- 2001:700:300::/46 - NTNU i Trondheim
- 2001:700:b00::/48 - NTNU i Trondheim (Gamle HiST)
- 2001:700:1d00::/48 - NTNU i Gjøvik
- 2001:700:1200::/48 - NTNU i Ålesund
Norwegian ISP's:
This list covers some norwegian ISP's. Are you missing one, let us know and we will add it.
- Uninett:
- 2001:700::/32
- Altibox:
- 2a00:14d8::/29
- 2a00:ce60::/32
- 2a00:dec0::/32
- 2a00:fd00::/32
- 2a01:798::/29
- Eidsiva:
2a02:a18::/32
- Get
2a02:fe0::/29'
- Lynet:
- 2a00:c440::/29
- Netcom:
- 2001:2020::/32
- 2001:2021::/32
- Nextgentel:
- 2a03:96e0::/33
- 2a04:980::/29
- Powertech:
- 2001:840::/29
- 2a00:be40::/32
- 2a00:be44::/32
- Signal:
- 2a00:e08::/32
2a00:5d40::/32
- Telenor:
- 2001:4600::/24
- 2a00:6e80::/32
- 2a02:1400::/26
- 2a02:2120::/30
- 2a02:2580::/32
- 2a02:2640::/32
- 2a02:7720::/32
- 2a02:f300::/29
- 2a07:c40::/29
- 2a0a:2180::/29
Other ISP's:
|
| ipv6_ra_mode | slaac |
...
| name | DemoNet-v6 |
| network_id | 24722854-3af0-45f7-b562-d5c1174f51d6 |
...
+----------------------+-----------------------------------------------------------------------------------------------------+ |
At this point you have an IPv6 subnet which is addressed using an assigned IPv6 prefix.
Connecting an IPv6 subnet to the world.
The IPv6 subnet is connected to the world using a router; the same way as IPv4 subnets. When an IPv6 network is connected to a router (which has an external gateway set), the router will make sure to announce the connected IPv6 subnet to the rest of the NTNU Network.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
$ openstack router add subnet DemoRouter DemoNet-v6 |
Verify the configuration
After connecting the IPv6 subnet to an external router the network should be globally reachable quite quickly. You can verify that the network is reachable by pinging the first address in the subnet:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
$ ping 2001:700:1d00:ea07::1
PING 2001:700:1d00:ea07::1(2001:700:1d00:ea07::1) 56 data bytes
64 bytes from 2001:700:1d00:ea07::1: icmp_seq=1 ttl=60 time=19.9 ms |
Configuring incoming access over IPv6
After an IPv6 subnet is created it is important to update the access groups if one wants to allow external access to the virtual machines over IPv6.
Allow incoming SSH
To allow any host at NTNU in Gjøvik to log in to your virtual machines over SSH you would need to add the following rule to the security-group assigned to the VM (The examples adds the rule to the group 'default'):
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
$ openstack security group rule create --src-ip '2001:700:1d00::/48' --dst-port 22 --ethertype IPv6 --protocol tcp default |
It is important to emphasize that the IPv6 addresses are global routable. This means that they are "directly" connected to the internet. It is thus important with proper firewalling. You should therfore ONLY open what is needed trough the security groups, to the addresses needed. For example should SSH (TCP port 22) only be opened for networks which needs to log in to your VM's.
IPv6 address prefixes
NTNU uses the following IPv6 prefixes:
- 2001:700:300::/46 - NTNU i Trondheim
- 2001:700:b00::/48 - NTNU i Trondheim (Gamle HiST)
- 2001:700:1d00::/48 - NTNU i Gjøvik
- 2001:700:1200::/48 - NTNU i ÅlesundNordunet:2001:948::/32