Openstack allows you to create networks addressed with IPv6. SkyHiGh is configured with global routable IPv6 prefixes, and this article is about to explain how you can create a virtual network with global routable IPv6 addresses.
Using the web interface
Unfortunatley this is currently only possible using the command line clients.
Using the command line clients
Creating an IPv4 subnet, and give it external access
When creating a network in openstack using the cli clients; it is common to do something like so:
$ openstack network create DemoNet $ openstack subnet create --subnet-range 192.168.1.0/24 --network DemoNet DemoNet-v4 $ openstack router create DemoRouter $ neutron router-gateway-set DemoRouter ext-net $ openstack router add subnet DemoRouter DemoNet-v4
The essence is that we create a network (DemoNet), and to this network we create a subnet (DemoNet-v4) for IPv4 addresses. This subnet is using local RFC 1918 addresses. We then create a router (DemoRouter), which we use to connect the subnet to the rest of the world (ext-net). To "hide" our local addresses, the router would run NAT.
Creating an IPv6 subnet
There are one important key difference between the IPv4 and the IPv6 subnets; IPv4 uses local addresses which allows you to select whichever addresses you like while still being able to route traffic externally using NAT. In IPv6 we use global addresses; which means that each virtual network in the cloud needs unique addresses. This allows the virtual machines to get global addresses directly, and it removes the need for NAT.
To create a IPv6 subnet named "DemoNet-v6" attached to the network "DemoNet", you would use the following command:
$ openstack subnet create --ip-version 6 --ipv6-ra-mode slaac --ipv6-address-mode slaac --use-default-subnet-pool --network DemoNet DemoNet-v6 +------------------------+--------------------------------------+ | Field | Value | +------------------------+--------------------------------------+ | allocation_pools | ::2-::ffff:ffff:ffff:ffff | | cidr | ::/64 | ... | name | DemoNet-v6 | | network_id | b3f3d1c6-5e1c-49a0-8a3c-4f706745fac9 | ... | subnetpool_id | prefix_delegation | | updated_at | 2017-08-10T08:20:26Z | | use_default_subnetpool | True | +------------------------+--------------------------------------+
At this point you have an IPv6 subnet which is addressed using a temporary IPv6 prefix as a placeholder until the subnet gets a proper IPv6 prefix assigned.
Connecting an IPv6 subnet to the world.
The IPv6 subnet is connected to the world using a router; the same way as IPv4 subnets. When an IPv6 network is connected to a router (which has an external gateway set), the router would request to get an IPv6 prefix to assign to the subnet.
WARNING: DUE TO AN OPENSTACK BUG, ONLY ONE IPV6 SUBNET CAN BE CONNECTED TO EACH VIRTUAL ROUTER.
$ openstack router add subnet DemoRouter DemoNet-v6
Verify the configuration
After connecting the IPv6 subnet to an external router, and giving the prefix-delegation some time (a minute or so) to do its work, you could verify that a global unique prefix is delegated to your subnet:
eigilo@access:~$ openstack subnet show DemoNet-v6 +-------------------+--------------------------------------------------------------+ | Field | Value | +-------------------+--------------------------------------------------------------+ | allocation_pools | 2001:700:1d00:e88a::2-2001:700:1d00:e88a:ffff:ffff:ffff:ffff | | cidr | 2001:700:1d00:e88a::/64 | ... | gateway_ip | 2001:700:1d00:e88a::1 | | host_routes | | | id | 7b242c30-40e2-4727-83d7-18e5bbe18a8a | | ip_version | 6 | | ipv6_address_mode | slaac | | ipv6_ra_mode | slaac | | name | DemoNet-v6 | ... +-------------------+--------------------------------------------------------------+
Configuring incoming access over IPv6
After an IPv6 subnet is created it is important to update the access groups if one wants to allow external access to the virtual machines over IPv6.
Allow incoming SSH
To allow any host at NTNU in Gjøvik to log in to your virtual machines over SSH you would need to add the following rule to the security-group assigned to the VM: