Welcome

CaseStudy–IPv6ChallengesforCloudServiceProviders

ManuelSchweizerCEO

Agenda

1.  Ini;alSitua;on

2.  Ge?ngStarted

3.  StatusQuo

4.  Lookout

5.  Ques;ons

Agenda

1.   Ini;alSitua;on

2.  Ge?ngStarted

3.  StatusQuo

4.  Lookout

5.  Ques;ons

BackgroundInforma;on

•  Founded2014•  SwissIaaSProvider•  LinuxCloudServers(VMs)•  FocusonSimplicity

„ForDevelopersWhoCare“

SaaS

PaaS

IaaS

Lineup

•  Ubuntu14.04LTS•  OpenStackKilo•  BrocadeVDX•  NoIPv6

Agenda

1.  Ini;alSitua;on

2.   GeEngStarted

3.  StatusQuo

4.  Lookout

5.  Ques;ons

Goals

•  „Doitright“•  EaseofOpera;on•  ScalableDesign&Implementa;on•  SupportDifferentOpera;ngSystems•  ReleasebyMidJune

Brainstorming

•  AddressAlloca;on– 1IPv6addressperVM– /64percustomer– /64pervirtualserver

•  AddressModes– Sta;c– SLAAC– DHCPv6

Brainstorming

•  AddressAlloca;on– 1IPv6addressperVM– /64percustomer– /64pervirtualserver

•  AddressModes– Sta;c– SLAAC– DHCPv6

FirstAbempt

•  /64perVM•  DHCPv6

Let‘sseewherethatgotus...

PrefixAlloca;on

ProblemOpenStackallocatesrandomIPv6addressSolu;onAssigna/64perVMinOpenStack

Scalability

ProblemNo.ofunicastrouteson(our)L3ToRswitchesSolu;onCreatea/48thatcontainsallthose/64s

Source:brocade.com

DefaultGateway

ProblemNorou;nginforma;oninDHCPv6(yet)DHCPv6Drah:hbps://tools.iei.org/html/drah-droms-dhc-dhcpv6-default-router-00BestPrac;ce:hbps://tools.iei.org/html/rfc4861(NDforIPv6)

Solu;onRouteradver;sements(RA)onL3ToRswitches

RouterAdver;sement(RA)

Problem/48prefixinforma;onwith„A“flagsetSolu;onAdver;sewithno-autoconfig=>„A“flagnotset

Source:insinuator.net

TACCase

ipv6 nd prefix 2a06:c01:abcd::/48 infinite infinite no-autoconfig

Process2016-04-05:Caseopened2016-04-06:Escala;on2016-04-07:Confirma;on2016-04-12:Workaround(donotshut/noshut!)2016-04-18:CCEpatchrequired2016-06-07:CCEpatchavailable

SLAAC

ProblemVMiss;lldoingSLAACSolu;onSendRAwith„M“flagset1-bit "Managed address configuration" flag. When set, it indicates that addresses are available via Dynamic Host Configuration Protocol [DHCPv6]. If the M flag is set, the O flag is redundant and can be ignored because DHCPv6 will return all available configuration information.

Source:RFC4861

DNSResolvers

ProblemVMignoresDNSresolversreceivedbyDHCPv6Solu;onSendRAwith„O“flagset1-bit "Other configuration" flag. When set, it indicates that other configuration information is available via DHCPv6. Examples of such information are DNS-related information or information on other servers within the network.

Source:RFC4861

High-Availability

ProblemVMreceivesRAwithrouterlink-localaddressSolu;onSetupHSRP/CARP/VRRP(whynotfe80::1?)anddisablerouterlink-localadver;sement

TACCase(2)

ipv6 vrrp-suppress-interface-ra

Process2016-06-08:Reported2016-06-09:Caseopened2016-06-12:Escala;on2016-06-13:Confirma;on2016-06-13:Workaround(ra-interval/ra-life;me)2016-06-15:CCEpatchrequired

Scalability

Problem~250IPv6addressesperDHCPagentperportSolu;onBacktotheroots:One/64perL2domain+Prefixrou;ngupto/48perVM

Security/Stability

ProblemIssueswithOpenStackandIPv6Solu;onUpgradeOpenStackfromKilotoLiberty

Opera;ngSystems

ProblemLackofpropersupportforDHCPdual-stackSolu;onUbuntu16.04LTS&Debian8auto eth0 iface eth0 inet dhcp iface eth0 inet6 dhcp # A timing issue prevents the DHCP client from binding to the interface # before DAD has completed. # See: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1447715 # Workaround: Wait 2 seconds for DAD to complete. pre-up sleep 2

Opera;ngSystems(2)

Solu;onUbuntu14.04auto eth0 iface eth0 inet dhcp iface eth0 inet6 dhcp # The DHCP agent automatically takes down the link after releasing the # IPv4 address. To avoid hanging for a long time, take the link back up # again to allow the IPv6 address to be released immediately. # See: https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1013597 pre-down ip link set dev eth0 up # We need to explicitly accept router advertisements because this gets # disabled by ifupdown. accept_ra 1

Source:bugs.launchpad.net

Opera;ngSystems(3)

Solu;onGoodNewsManymodernOSworkoutofthebox!

CentOS7&Fedora23(base)DEVICE="eth0" BOOTPROTO="dhcp" ONBOOT="yes" TYPE="Ethernet" USERCTL="yes" PEERDNS="yes" IPV6INIT="yes" DHCPV6C="yes" PERSISTENT_DHCLIENT="1"

Agenda

1.  Ini;alSitua;on

2.  Ge?ngStarted

3.   StatusQuo

4.  Lookout

5.  Ques;ons

StatusQuo

•  GAofIPv6atcloudscale.ch– Released2016-06-15– OneIPv6addressperVM– Upto/48routedtothisIPv6address

Demo

LaunchofaVMwithIPv6atcloudscale.ch

Demo

GoalsReached?

•  „Doitright“– /64onlink– Routedupto/48

•  EaseofOpera;on•  ScalableDesign&Implementa;on•  SupportDifferentOpera;ngSystems•  ReleasebyMidJune

✔

✔✔✔

✔

Agenda

1.  Ini;alSitua;on

2.  Ge?ngStarted

3.  StatusQuo

4.   Lookout

5.  Ques;ons

Lookout

•  ReverseDNS•  Automateroutedprefixes•  Inves;gateDHCPv6-PD– DHCPv6RelayAgentPrefixDelega;onNo;fica;on

•  OurInfrastructure•  Security

Agenda

1.  Ini;alSitua;on

2.  Ge?ngStarted

3.  StatusQuo

4.  Lookout

5.   Ques;ons

Ques;ons

Thankyou!

Iamlookingforwardtoyourfeedback:manuel.schweizer@cloudscale.ch

ThankstoallourSponsors