You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Hean Seng <he...@gmail.com> on 2020/11/03 03:31:22 UTC
IPv6 Support
Hi
Is that anyone have a idea of best way implementing ipv6 in cloudstack ?
I saw the doc, and mentioned create another SharedGuestNework in
AdvanceZone, and assigned ipv6 /64 network there.
However, I not quite understand is in Advancezone with NAT (public ip,
isolated vlan), the network of the VM is their own LAN IP and isolated by
VLAN or VXLAN. How can we assign Ipv6 over there? Or shall we create
another SharedGuestNetwork with another VLAN , and assign another
GuestNetwork manually to the VM ? But then, the VM become 2 network. Is
that the way to do ?
--
Regards,
Hean Seng
Re: IPv6 Support
Posted by Gabriel Beims Bräscher <ga...@gmail.com>.
I might get a bit redundant here, but here follows my 2 cents on IPv6 +
CloudStack.
Andrija is right. IPv6 works on Zones with Advanced Network + Security
Groups + KVM.
The documentation [1] also raised support provided by XenServer, but to be
honest I have no experience with IPv6 + XenServer to comment about it.
To deploy IPv6 networks, you must deploy a Zone with advanced network +
security group setting the IPV6 fileds (DNS); if IPv6 enabled networks are
created but the Zone hasn't IPv6 DNS1 or DNS2 configured then *dnsmasq*
inside the Virtual Router does not start.
In such a network setup it is possible to deploy multiple shared guest
networks, isolated via VLAN/VXLAN. These networks can be configured with
only IPv4 addresses, or IPv4 + IPv6; on the second case the IPv4 address
could be a either a private IP (e.g. 10.1.1.1) or a public IP; all VMs then
have a public IPv6 address.
CloudStack IPv6 + Security Group is implemented using Stateless address
autoconfiguration (*SLAAC*), which requires each network to have a /64
address block; nat/port forwarding is not necessary therefore.
Why using Security Group? This happens due to the fact that so far all IPv6
ACLs are handled by implementations on hypervisor (security group
implementation) instead of VRs/VPCs.
Eric Lee Green is right as well; I don't see anyone implementing IPv6 for
NAT. Implementing it on VR is possible but adds quite a lot of complexity,
it would be easier to have a mix of both worlds; e.g. NAT, VPCs for IPv4
networks, and Security Groups for IPv6 networks using SLAAC.
[1] http://docs.cloudstack.apache.org/en/latest/plugins/ipv6.html
Em qua., 11 de nov. de 2020 às 08:54, Eric Lee Green <
eric.lee.green@gmail.com> escreveu:
> On 11/11/2020 2:01 AM, Hean Seng wrote:
> > IPv6 do not have NAT , each VM suppose to have indiviual Ipv6 Address.
>
> NAT66 does in fact exist, and the virtual routers used for VLANs could
> in fact be configured with RADV to provide an IETF RFC4193 SLAAC prefix
> to private VPC networks then use NAT66 to communicate with the rest of
> the IPv6 Internet via a SLAAC-configured IPv6 address on the virtual
> router's public interface. They are not currently so configured, but all
> the stuff to do it is already there in the base Debian distribution used
> for the virtual routers.
>
> Port forwarding would require changes to the virtual router to allow
> IPv6 port forwarding (as well as likely allowing a fixed IPv6 address
> for the virtual router rather than SLAAC).
>
> DHCPv6 to advertise IPv6 DNS servers would be the other part of that
> equation.
>
> Routing public subnets would require significant work, since the virtual
> routers would need to advertise routes upstream to whatever layer 3
> switch or router routes things to and from the Internet. In addition
> security would require disabling incoming IPv6 connections to the
> advertised subnet except to specific instances that have a hole poked in
> the firewall allowing incoming IPv6. It is unlikely that anybody is
> going to bother implementing this anytime soon, since NAT66 works fine
> for Cloudstack's purposes and is significantly easier to implement since
> it doesn't require upstream routers to accept route advertisements from
> virtual routers.
>
> >
> > For NAT zone, is that any way to allocate IPv6 subnet ?
> >
> >
> >
> >
> >
> >
> >
> > On Tue, Nov 10, 2020 at 3:51 PM Andrija Panic <an...@gmail.com>
> > wrote:
> >
> >> If not mistaken, ipv6 is only supported for Shared Networks, and not for
> >> Isolated/VPC networks.
> >>
> >> On Tue, 3 Nov 2020 at 04:31, Hean Seng <he...@gmail.com> wrote:
> >>
> >>> Hi
> >>>
> >>> Is that anyone have a idea of best way implementing ipv6 in cloudstack
> ?
> >>>
> >>> I saw the doc, and mentioned create another SharedGuestNework in
> >>> AdvanceZone, and assigned ipv6 /64 network there.
> >>>
> >>> However, I not quite understand is in Advancezone with NAT (public ip,
> >>> isolated vlan), the network of the VM is their own LAN IP and
> isolated
> >> by
> >>> VLAN or VXLAN. How can we assign Ipv6 over there? Or shall we
> >> create
> >>> another SharedGuestNetwork with another VLAN , and assign another
> >>> GuestNetwork manually to the VM ? But then, the VM become 2 network.
> Is
> >>> that the way to do ?
> >>>
> >>>
> >>> --
> >>> Regards,
> >>> Hean Seng
> >>>
> >>
> >> --
> >>
> >> Andrija Panić
> >>
> >
>
Re: IPv6 Support
Posted by Hean Seng <he...@gmail.com>.
Hi Gabriel.
For this case, :
n such a network setup it is possible to deploy multiple shared guest
networks, isolated via VLAN/VXLAN. These networks can be configured with
only IPv4 addresses, or IPv4 + IPv6; on the second case the IPv4 address
could be a either a private IP (e.g. 10.1.1.1) or a public IP; all VMs then
have a public IPv6 address.
For those have IPv4+IPv6 , can I know how you configure it ?
On Wed, Nov 11, 2020 at 10:26 PM Hean Seng <he...@gmail.com> wrote:
> For ipv6 implementation for Advancezone with NAT, i guess shall be
> allocate a ipv6 /64 subnet to it (the Virtual Router), and VirtualRouter
> allocate IPv6 to VM under it.
> So cloudstack shall allow add ipv6 /64 subnet to the zone , and when VM
> created , it will assign a /64 subnet to VR, and VR have DHCP6 to
> allocate IP to the VM.
>
> On Wed, Nov 11, 2020 at 7:54 PM Eric Lee Green <er...@gmail.com>
> wrote:
>
>> On 11/11/2020 2:01 AM, Hean Seng wrote:
>> > IPv6 do not have NAT , each VM suppose to have indiviual Ipv6 Address.
>>
>> NAT66 does in fact exist, and the virtual routers used for VLANs could
>> in fact be configured with RADV to provide an IETF RFC4193 SLAAC prefix
>> to private VPC networks then use NAT66 to communicate with the rest of
>> the IPv6 Internet via a SLAAC-configured IPv6 address on the virtual
>> router's public interface. They are not currently so configured, but all
>> the stuff to do it is already there in the base Debian distribution used
>> for the virtual routers.
>>
>> Port forwarding would require changes to the virtual router to allow
>> IPv6 port forwarding (as well as likely allowing a fixed IPv6 address
>> for the virtual router rather than SLAAC).
>>
>> DHCPv6 to advertise IPv6 DNS servers would be the other part of that
>> equation.
>>
>> Routing public subnets would require significant work, since the virtual
>> routers would need to advertise routes upstream to whatever layer 3
>> switch or router routes things to and from the Internet. In addition
>> security would require disabling incoming IPv6 connections to the
>> advertised subnet except to specific instances that have a hole poked in
>> the firewall allowing incoming IPv6. It is unlikely that anybody is
>> going to bother implementing this anytime soon, since NAT66 works fine
>> for Cloudstack's purposes and is significantly easier to implement since
>> it doesn't require upstream routers to accept route advertisements from
>> virtual routers.
>>
>> >
>> > For NAT zone, is that any way to allocate IPv6 subnet ?
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > On Tue, Nov 10, 2020 at 3:51 PM Andrija Panic <an...@gmail.com>
>> > wrote:
>> >
>> >> If not mistaken, ipv6 is only supported for Shared Networks, and not
>> for
>> >> Isolated/VPC networks.
>> >>
>> >> On Tue, 3 Nov 2020 at 04:31, Hean Seng <he...@gmail.com> wrote:
>> >>
>> >>> Hi
>> >>>
>> >>> Is that anyone have a idea of best way implementing ipv6 in
>> cloudstack ?
>> >>>
>> >>> I saw the doc, and mentioned create another SharedGuestNework in
>> >>> AdvanceZone, and assigned ipv6 /64 network there.
>> >>>
>> >>> However, I not quite understand is in Advancezone with NAT (public ip,
>> >>> isolated vlan), the network of the VM is their own LAN IP and
>> isolated
>> >> by
>> >>> VLAN or VXLAN. How can we assign Ipv6 over there? Or shall we
>> >> create
>> >>> another SharedGuestNetwork with another VLAN , and assign another
>> >>> GuestNetwork manually to the VM ? But then, the VM become 2
>> network. Is
>> >>> that the way to do ?
>> >>>
>> >>>
>> >>> --
>> >>> Regards,
>> >>> Hean Seng
>> >>>
>> >>
>> >> --
>> >>
>> >> Andrija Panić
>> >>
>> >
>>
>
>
> --
> Regards,
> Hean Seng
>
--
Regards,
Hean Seng
Re: IPv6 Support
Posted by Hean Seng <he...@gmail.com>.
For ipv6 implementation for Advancezone with NAT, i guess shall be
allocate a ipv6 /64 subnet to it (the Virtual Router), and VirtualRouter
allocate IPv6 to VM under it.
So cloudstack shall allow add ipv6 /64 subnet to the zone , and when VM
created , it will assign a /64 subnet to VR, and VR have DHCP6 to
allocate IP to the VM.
On Wed, Nov 11, 2020 at 7:54 PM Eric Lee Green <er...@gmail.com>
wrote:
> On 11/11/2020 2:01 AM, Hean Seng wrote:
> > IPv6 do not have NAT , each VM suppose to have indiviual Ipv6 Address.
>
> NAT66 does in fact exist, and the virtual routers used for VLANs could
> in fact be configured with RADV to provide an IETF RFC4193 SLAAC prefix
> to private VPC networks then use NAT66 to communicate with the rest of
> the IPv6 Internet via a SLAAC-configured IPv6 address on the virtual
> router's public interface. They are not currently so configured, but all
> the stuff to do it is already there in the base Debian distribution used
> for the virtual routers.
>
> Port forwarding would require changes to the virtual router to allow
> IPv6 port forwarding (as well as likely allowing a fixed IPv6 address
> for the virtual router rather than SLAAC).
>
> DHCPv6 to advertise IPv6 DNS servers would be the other part of that
> equation.
>
> Routing public subnets would require significant work, since the virtual
> routers would need to advertise routes upstream to whatever layer 3
> switch or router routes things to and from the Internet. In addition
> security would require disabling incoming IPv6 connections to the
> advertised subnet except to specific instances that have a hole poked in
> the firewall allowing incoming IPv6. It is unlikely that anybody is
> going to bother implementing this anytime soon, since NAT66 works fine
> for Cloudstack's purposes and is significantly easier to implement since
> it doesn't require upstream routers to accept route advertisements from
> virtual routers.
>
> >
> > For NAT zone, is that any way to allocate IPv6 subnet ?
> >
> >
> >
> >
> >
> >
> >
> > On Tue, Nov 10, 2020 at 3:51 PM Andrija Panic <an...@gmail.com>
> > wrote:
> >
> >> If not mistaken, ipv6 is only supported for Shared Networks, and not for
> >> Isolated/VPC networks.
> >>
> >> On Tue, 3 Nov 2020 at 04:31, Hean Seng <he...@gmail.com> wrote:
> >>
> >>> Hi
> >>>
> >>> Is that anyone have a idea of best way implementing ipv6 in cloudstack
> ?
> >>>
> >>> I saw the doc, and mentioned create another SharedGuestNework in
> >>> AdvanceZone, and assigned ipv6 /64 network there.
> >>>
> >>> However, I not quite understand is in Advancezone with NAT (public ip,
> >>> isolated vlan), the network of the VM is their own LAN IP and
> isolated
> >> by
> >>> VLAN or VXLAN. How can we assign Ipv6 over there? Or shall we
> >> create
> >>> another SharedGuestNetwork with another VLAN , and assign another
> >>> GuestNetwork manually to the VM ? But then, the VM become 2 network.
> Is
> >>> that the way to do ?
> >>>
> >>>
> >>> --
> >>> Regards,
> >>> Hean Seng
> >>>
> >>
> >> --
> >>
> >> Andrija Panić
> >>
> >
>
--
Regards,
Hean Seng
Re: IPv6 Support
Posted by Eric Lee Green <er...@gmail.com>.
On 11/11/2020 2:01 AM, Hean Seng wrote:
> IPv6 do not have NAT , each VM suppose to have indiviual Ipv6 Address.
NAT66 does in fact exist, and the virtual routers used for VLANs could
in fact be configured with RADV to provide an IETF RFC4193 SLAAC prefix
to private VPC networks then use NAT66 to communicate with the rest of
the IPv6 Internet via a SLAAC-configured IPv6 address on the virtual
router's public interface. They are not currently so configured, but all
the stuff to do it is already there in the base Debian distribution used
for the virtual routers.
Port forwarding would require changes to the virtual router to allow
IPv6 port forwarding (as well as likely allowing a fixed IPv6 address
for the virtual router rather than SLAAC).
DHCPv6 to advertise IPv6 DNS servers would be the other part of that
equation.
Routing public subnets would require significant work, since the virtual
routers would need to advertise routes upstream to whatever layer 3
switch or router routes things to and from the Internet. In addition
security would require disabling incoming IPv6 connections to the
advertised subnet except to specific instances that have a hole poked in
the firewall allowing incoming IPv6. It is unlikely that anybody is
going to bother implementing this anytime soon, since NAT66 works fine
for Cloudstack's purposes and is significantly easier to implement since
it doesn't require upstream routers to accept route advertisements from
virtual routers.
>
> For NAT zone, is that any way to allocate IPv6 subnet ?
>
>
>
>
>
>
>
> On Tue, Nov 10, 2020 at 3:51 PM Andrija Panic <an...@gmail.com>
> wrote:
>
>> If not mistaken, ipv6 is only supported for Shared Networks, and not for
>> Isolated/VPC networks.
>>
>> On Tue, 3 Nov 2020 at 04:31, Hean Seng <he...@gmail.com> wrote:
>>
>>> Hi
>>>
>>> Is that anyone have a idea of best way implementing ipv6 in cloudstack ?
>>>
>>> I saw the doc, and mentioned create another SharedGuestNework in
>>> AdvanceZone, and assigned ipv6 /64 network there.
>>>
>>> However, I not quite understand is in Advancezone with NAT (public ip,
>>> isolated vlan), the network of the VM is their own LAN IP and isolated
>> by
>>> VLAN or VXLAN. How can we assign Ipv6 over there? Or shall we
>> create
>>> another SharedGuestNetwork with another VLAN , and assign another
>>> GuestNetwork manually to the VM ? But then, the VM become 2 network. Is
>>> that the way to do ?
>>>
>>>
>>> --
>>> Regards,
>>> Hean Seng
>>>
>>
>> --
>>
>> Andrija Panić
>>
>
Re: IPv6 Support
Posted by Hean Seng <he...@gmail.com>.
IPv6 do not have NAT , each VM suppose to have indiviual Ipv6 Address.
For NAT zone, is that any way to allocate IPv6 subnet ?
On Tue, Nov 10, 2020 at 3:51 PM Andrija Panic <an...@gmail.com>
wrote:
> If not mistaken, ipv6 is only supported for Shared Networks, and not for
> Isolated/VPC networks.
>
> On Tue, 3 Nov 2020 at 04:31, Hean Seng <he...@gmail.com> wrote:
>
> > Hi
> >
> > Is that anyone have a idea of best way implementing ipv6 in cloudstack ?
> >
> > I saw the doc, and mentioned create another SharedGuestNework in
> > AdvanceZone, and assigned ipv6 /64 network there.
> >
> > However, I not quite understand is in Advancezone with NAT (public ip,
> > isolated vlan), the network of the VM is their own LAN IP and isolated
> by
> > VLAN or VXLAN. How can we assign Ipv6 over there? Or shall we
> create
> > another SharedGuestNetwork with another VLAN , and assign another
> > GuestNetwork manually to the VM ? But then, the VM become 2 network. Is
> > that the way to do ?
> >
> >
> > --
> > Regards,
> > Hean Seng
> >
>
>
> --
>
> Andrija Panić
>
--
Regards,
Hean Seng
Re: IPv6 Support
Posted by Andrija Panic <an...@gmail.com>.
If not mistaken, ipv6 is only supported for Shared Networks, and not for
Isolated/VPC networks.
On Tue, 3 Nov 2020 at 04:31, Hean Seng <he...@gmail.com> wrote:
> Hi
>
> Is that anyone have a idea of best way implementing ipv6 in cloudstack ?
>
> I saw the doc, and mentioned create another SharedGuestNework in
> AdvanceZone, and assigned ipv6 /64 network there.
>
> However, I not quite understand is in Advancezone with NAT (public ip,
> isolated vlan), the network of the VM is their own LAN IP and isolated by
> VLAN or VXLAN. How can we assign Ipv6 over there? Or shall we create
> another SharedGuestNetwork with another VLAN , and assign another
> GuestNetwork manually to the VM ? But then, the VM become 2 network. Is
> that the way to do ?
>
>
> --
> Regards,
> Hean Seng
>
--
Andrija Panić