1 .. contents:: Table of Contents
4 ================================================================================
5 IPv6 DC-Internet L3 North-South connectivity using L3VPN provider network types.
6 ================================================================================
8 https://git.opendaylight.org/gerrit/#/q/topic:ipv6-l3vpn-internet
10 In this specification we will be discussing the high level design of
11 IPv6 Datacenter to Internet North-South connectivity support in OpenDaylight
12 using L3VPN provider network type use-case.
17 Provide IPv6 external connectivity to virtual machines located in Data center
18 can be achieved through use of Globally Unique Addresses and usage of BGP VPN concepts.
19 Even if VPN IPv6 is made to interconnect hosts without the help of any NAT mechanisms,
20 routing to the external network for internet should be easily configured.
22 Keep in mind that key aspects of configuring IPv6 external connectivity should rely on
23 Openstack and VPN concepts.
25 There are already solutions to provide north south communication for IPv6 as depicted in [6].
26 This document relies on L3VPN concepts to provide the same behaviour.
28 The document explores how VPN could be configured so as to provide IPv6 external
29 connectivity. The document explores a solution for Only IPv6 Globally Unique
32 Some caution need to be taken care with the solution chosen.
33 As this is private VPN, that means that it should be possible to use a VPN for both
34 usages, that is to say inter-DC and IPv6 external connectivity.
35 Also, some security concerns must be taken care.
36 Because VPN interacts with external equipment, the internal prefixes that are not
37 authorised to access to the internet, should not be made visible to the DC-GW.
39 Following schema stands for what happens on the flows on the datacenter.
40 For instance, the same MPLSoGRE tunnel can be used for both Inter-DC and
41 IPv6 external connectivity.
46 IP dst not in advertised list
47 VPN configuration explained in use case chapter
51 BGP table | | | Subnet A::2 | |
52 Prefix Subnet A::2 |OVS| +-------------+ |
53 +-------+ Label L2 | A | +-------------+ |
54 | | Next Hop OVS A | | |VM2 | |
55 | Host | +-+-+ | Subnet B::2 | |
56 +---+---+ +-------+ | | +-------------+ |
57 | | | | +-----------------+
58 | | +-----------------+
59 +--Internet-----+ DCGW |
60 | +-----------------+ +-----------------+
61 | | | | +-------------+ |
62 +-------+ +-+-+ |VM3 | |
64 |OVS| +-------------+ |
65 | B | +-------------+ |
67 +---+ | Subnet B::2 | |
75 Let's say an operator can configure data center gateways with a VPN dedicated to
76 Internet connectivity.
78 Based on this configuration, if a virtual machine is spawned within a data center
79 subnet, then it should be possible for that IPv6 GUA subnet to be imported to that VPN.
80 As consequence of this relationship, a BGP UPDATE message containing MP-BGP attributes
81 required for reaching the VM outside the datacenter would be sent to the DC-GW.
82 In the same manner, adding extra-route or declaring subnetworks will trigger the same.
84 There are several techniques for tenant VMs to access the Internet, through usage of VPNs.
85 Those methods are described in [8], on section 11.
86 Also a note describes in [7] the different techniques that could be applied to
87 the DC-GW case. Note that not all solutions are compliant with the RFC.
88 One of the solutions from [7] are discussed in sub-chapter 'Proposal based on VPN
89 semantics'. It is demonstrated that [7] is not correct.
91 An other solution, described in [9], on slides 41, and 42, discusses the problem
92 differently. It relies on openstack neutron concepts. It proposes that IPv6 local entries
93 could be exported to an external network, whenever that network is attached to a
94 neutron router, and that external network is associated to an internet VPN.
95 Solution is exposed in sub-chapter 'Proposal based on External Network'.
97 Solution described in [9] will be the chosen one.
98 Consecutive chapters will describe how to implement [9], slide 41, 42.
100 Proposal based on External Network
101 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
103 Neutron configuration perspective
104 *********************************
106 Configuring an external network and associate an internet VPN to that external network is
107 the solution the specification wants to promote for IPv6 GUA.
109 Following scheme can help. It shows a logical overview of what needs to be configured on openstack point of view.
110 As you can see, router is the object that makes relationship between internal and external world.
111 On internal view, you can configure either subnetwork with router, directly.
112 You can also associate an external BGPVPN to a second private network ( here subnet B). This is for inter DC purposes.
113 Even, you can associate router ( here router 2) with an external BGPVPN 2, for inter DC purposes.
115 The drawing illustrates also the dual stack example, because the router we are working on may be Dual stack. That
116 is to say that it may host both IPv4 and IPv6 subnetworks.
118 Also, an other use case (config 4) involves a two router solution, with one IPv4 router , one IPv6 router solution.
119 The customer can choose to tear-down access to external network for IPv4 ONLY (or) for IPv6 ONLY subnets for such
120 DualStack VM, by doing a router-gateway-clear on the respective router. This provides good flexibility.
122 In all cases, to reach the external connectivity, you need to configure an external network, using one of the two
125 The following order will be used to support external network connectivity:
127 - config 1: IPv6 network connectivity using BGP VPN in single router solution
129 - config 2: IPv6 network connectivity using BGP VPN in dual stack router solution
131 - config 4: IPv6 network connectivity using BGP VPN in a two router solution
137 | VM | +-------------+ +-----------+
138 +----+-----| Subnet A(v6)|--|router-id-1|
139 +-------------+ | Router 1 |-----+--------------------+
140 | Network N | +-----------+ | Network External 1 |
141 +-------------+ +--------------------+
143 +--------------------+
147 +----+ +--------------+
148 | VM | +-------------+ |external-vpn-1| +------------------+ +-------+
149 +----+-----| Subnet C(v6)|--+--------------+ | Subnet E (IPv4) |-------------| DC-GW |
150 +-------------+ | Router 2 |-----+------------------+ +-------+
151 | Subnet F(v4)| +--------------+ | Network External |
152 +-------------+ +------------------+
153 | Network L | | internet-vpn-2 |
154 +-------------+ +------------------+
156 config 3: +--------------+
157 +----+ |router-id-3 |
158 | VM | +-------------+ |Router 3(IPv6)| +------------------+ +-------+
159 +----+-----| Subnet N(v6)|--+--------------+-+---| Subnet P (IPv4) |-------------| DC-GW |
160 +-------------+ | +------------------+ +-------+
161 | Network M | | | Network External |
162 +-------------+ | +------------------+
163 | Subnet O(v4)|--+--------------+ | | internet-vpn-3 |
164 +-------------+ |Router 4(IPv4)|-+ +------------------+
168 Discussion of the various setups solutions
169 ******************************************
171 In all cases, the following happens:
173 - All subnetworks from external network will be imported into the VPN as before.
174 In our case, as we have an IPv4 provider network, the IPv4 public IP address will be imported.
176 - Second, all IPv6 subnets attached to the router that use that external network will be imported in that internet VPN.
177 Note that in the case of a dual stack router, IPv4 subnets are not concerned, since those IPv4 subnets are private.
179 - Note that it is not necessary to configure a default gateway IP, because all traffic is encapsulated into MPLSoGRE tunnel.
181 To summarise, the proposal impacts only IPv6 private subnets, even in dual stack routers, and two router solution.
182 There are no changes for IPv4 subnets, and floating IPs ( related to IPv4).
183 The implementation should be OK independently of the various orchestration choices used.
185 About the solution involving single stack IPv6 router, the admin must create an external IPv4 network.
186 This is the necessary condition to have IPv6 encapsulated in MPLSoGRE IPv4 tunnel.
188 About the solution involving a two router solution, a work is in progress in [10]. Testing will be possible on
189 such solution, only when [10] will be made available.
192 Discussion on internet VPN impact with IPv4
193 *******************************************
195 The internet VPN proposal is still assuming the fact that the user wants to deploy IPv6 GUA.
196 Whenever a subnetwork, IPv4 or IPv6, wants to reach the outside, it uses openstack neutron
197 router. With IPv6, it only needs to configure an external network. If IPv4 is also needed, then
198 it needs to configure a neutron sub-network. Because this method is used, no default gateway is
199 needed, since the VPN handles the forwarding to the DC-GW.
201 If the IPv4 traffic is used, then the NAT mechanism will be put in place by "natting" the
202 private network with the outgoing IP address of the external router. All subnets from external
203 network will be imported into the internet VPN.
204 If the IPv6 traffic is used, then the users that want to provide internet connectivity, will
205 use L3VPN feature to import private IP to the VPN that has been created for internet connectivity.
206 That VPN could be called "Internet VPN", and must be associated to the external network
207 defined in the router. That association will be administratively configured by using command
208 "neutron bgpvpn-assoc-create" command, so as to associate external network with BGPVPN.
209 Note also that using this command does not control the private IPv6 subnets that will be imported
210 by that BGPVPN. The IPv6 subnetworks can be either GUA or LUA, since no control is done for that.
211 It will be up to the administrator to be cautious regarding the configuration, and use only
213 As the "Internet VPN" also imports internet routes provided by DC-GW, that VPN
214 is able to create the necessary pipeline rules ( the necessary MPLS over GRE tunnels), so that the
215 various VMs that are granted, can access to the Internet.
220 Configuration steps in a datacenter, based on config 1 described above:
222 - Configure ODL and Devstack networking-odl for BGP VPN.
224 - Create a transport zone to declare that a tunneling method is planned to reach an external IP:
225 the IPv6 interface of the DC-GW
227 - Create a network and an IPv6 GUA subnetwork private, using GUA prefix
231 neutron net-create private-net
232 neutron subnet-create --name ipv6-int-subnet --ip-version 6 --ipv6-ra-mode slaac
233 --ipv6-address-mode slaac private-net <GUA prefix>
236 - Create a Neutron Router
240 neutron router-create <router>
242 - Create an external network. No IPv4 or IPv6 subnetwork needs to be configured.
246 neutron net-create --router:external=true gateway_net
248 - The step create the L3VPN instances. As illustrated, the route distinguisher and route target
253 neutron bgpvpn-create --route-distinguishers <internetvpn>
254 --route-targets <internetvpn> --tenant-id b954279e1e064dc9b8264474cb3e6bd2 --name internetvpn
257 - step (1) : Connect the router ports to the internal subnets that need to access to the internet.
261 neutron router-interface-add <router> ipv6-int-subnet
263 - step (2) : The external network will be associated with the "internet VPN" instance.
267 operations:neutronvpn:associateNetworks ( "network-id":"<uuid of external network gateway_net >"
268 "vpn-id":"<uuid of internetvpn>")
270 - step (3) : The external network will be associated to the router.
274 neutron router-gateway-set <router> gateway_net
276 The last 3 operations on configuration steps have a step number: step (x) for example.
277 Note that step-ids (1), (2), and (3) can be combined in different orders.
282 The proposal based on external network is the one chosen to do changes.
283 The change relies on config 1 and config 3 described above.
285 The changes consist in :
287 - extending the neutronvpn.yang subnet structure so as to link the internet vpn to the private subnetwork.
289 - each existing external sub-network is imported to the internet VPN. This is the case for
290 IPv4 subnetwork, as it has been described above. This can also be the case for IPv6 sub-networks.
292 - for each new VM, extra route, subnet new to the private network or the private VPN, only the IPv6 information
293 is imported to the internet VPN.
295 - providing a fallback rule that says that no other rules in routing table of the virtual router is available, then
296 a default route is conveyed to that external network.
298 For doing L3 forwarding, the packet will be transported to either the neutron router, or the private VPN.
299 In both cases, the packet will reach table 17, for L3forwarding.
300 If there is no external VPN attached, then the packet is transported to the table 17, using vpn-id=router-id[1/2/3/4].
301 If there is an external VPN attached, then the packet is transported to table 17, using vpn-id=vpn-external-1.
302 Then, a check will be done against <internet-vpn-[1/2/3]>.
304 For IPv6 traffic, the internet VPN will be a fallback mechanism so that they go to the Internet.
305 A fallback mechanism similar to option 2 from [7] will be put in place, only for IPv6.
307 That means that in such configuration, if a dual stack router is configured with both IPv4 and IPv6, then the VPN would
308 only consider IPv4 public addresses and IPv6. IPv4 private traffic should follow NAT rules applied to the router.
309 Then if the new IPv4 public packet's destination IP address matches addresses from the internet VPN, then the packet
310 will be encapsulated into the MPLSoGRE tunnel.
315 Neutron's role fill in internet VPN information in a subnetmap structure.
317 VPN - IPv6 subnetwork relationship established
318 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
320 The 3 following conditions must be met, so that prefixes importation to the internet VPN will occur.
321 - on that subnet, some routing information is bound: ( VMs allocated IPs, extra route or subnet-routing configured)
322 - the same router has an external network configured
323 - the external network is being associated a VPN.
324 - only IPv6 subnetworks are imported, because IPv4 subnetworks may be private.
326 NeutronVPN listens for events that involve change of the above, that is to say:
328 - attach a subnetwork from router.
329 A check is done on the nature of the subnet: IPv6.
330 A check is done also to see on the list of external networks configured on the router,
331 if there are any attached VPN.
333 - attach an external network to router.
334 A check is done on the presence of a VPN to the external network or not.
336 - associate network to VPN.
337 If the network associated is external, a check is done on the routers that use that network.
339 If above condition is met, NeutronVPN will update subnetmap structure.
341 VPN - IPv6 Subnetwork Relationship unestablished
342 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
344 If above condition is not met, the following will be triggered, depending on the incoming events.
346 - for a detached subnetwork from router, a check is done if a VPN is associated to the external network
349 - for an external network detached from router, a check is done to see if that network had a VPN instance.
351 - for a VPN disassociated from a network, the VPN instance is elected.
353 If above condition is met, NeutronVPN will update subnetmap structure.
358 Upon subnetmap structure change, VPN manager will create subnetopdataentries structures corresponding to the two kind
359 of VPN handled by subnetmap structure : either internet or external VPN.
361 So that at maximum, for one subnet instance, two subnetopdataentries instances will be created.
363 Consecutive to that change, VPN manager will add or delete FIB entries according to the information stored on
366 A populate of the FIB will be triggered for all adjacencies linked to that subnetID of the subnetOpdataEntry.
367 The specific route distinguisher of the corresponding VPN will be used.
371 Associating BGPVPN to external network will act as if a second network was accessible through internet-vpn-id.
373 Pipeline change for upstream. Indeed, the internet VPN will be translated into a fallback rule for external access.
374 This happens if there is external connectivity access, by using VPN associated to external network.
375 This applies only to IPv6 traffic.
377 Packets going out from VM will match against either L3 forwarding in the DC, or L3 forwarding using L3VPN.
378 Assuming this, once in table 21 ( L3 FIB table), the packet will be tested against an IPv6 packet.
379 If it is the case, the packet will be resubmitted to table 21 ( L3 FIB table), to see if it matches some entries of the internet VPN table.
380 If it is the case, then the packet will be encapsulated with the correct MPLSoGRE tag.
382 Below are illustrated 3 use cases that have been identified.
384 - case 1 based on config 1 described above
386 - case 2 based on config 3 described above
388 - case 3 based on config 1 with multipath case
391 Case VM to DC-GW with VPN internet configured, and standard Layer 3 routing (config 1)
392 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
393 Note that this rule is available only for IPv6 traffic.
395 | Lport Dispatcher Table (17) ``match: LportTag l3 service: set vpn-id=router-id`` =>
396 | DMAC Service Filter (19) ``match: dst-mac=router-internal-interface-mac vpn-id=router-id`` =>
397 | L3 FIB Table (21) ``priority=0,match: ipv6,vpn-id=router-id, set vpn-id=internetvpn-id, resubmit(,21)`` =>
398 | L3 FIB Table (21) ``match: vpn-id=internet-vpn-id, nw-dst=<IP-from-internetvpn> set tun-id=mpls_label output to MPLSoGRE tunnel port`` =>
400 Case VM to DC-GW with VPN internet configured, and Inter-DC VPN configured (config 3)
401 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
403 Note that this rule is available only for IPv6 traffic.
405 | Classifier Table (0) =>
406 | Lport Dispatcher Table (17) ``match: LportTag l3vpn service: set vpn-id=external-l3vpn-id`` =>
407 | DMAC Service Filter (19) ``match: dst-mac=router-internal-interface-mac vpn-id=external-vpn-id`` =>
408 | L3 FIB Table (21) ``match: vpn-external-vpn-id=external-vpn-id, nw-dst=<IP-from-vpn> set tun-id=mpls_label output to MPLSoGRE tunnel port`` =>
409 | L3 FIB Table (21) ``priority=0,match: ipv6, vpn-id=l3vpn-id, set vpn-id=internet-vpn-id, resubmit(,21)`` =>
410 | L3 FIB Table (21) ``match: vpn-id=internet-vpn-id, nw-dst=<IP-from-internetvpn> set tun-id=mpls_label output to MPLSoGRE tunnel port`` =>
414 The neutronvpn.yang subnetmap structure will be modified.
415 subnetmap structure will have a new field called
419 leaf vpn-external-id {
421 description "Internet VPN to which this subnet belongs";
425 The odl-l3vpn.yang subnet-op-data-entry will be modified.
426 The key for this structure is being added a new field: vpnname.
427 Vpnname will stand for either the external VPN or the internet VPN.
431 --- a/vpnservice/vpnmanager/vpnmanager-api/src/main/yang/odl-l3vpn.yang
432 +++ b/vpnservice/vpnmanager/vpnmanager-api/src/main/yang/odl-l3vpn.yang
433 @@ -346,19 +346,19 @@ module odl-l3vpn {
434 container subnet-op-data {
436 list subnet-op-data-entry {
438 + key "subnet-id vpn-name";
441 description "UUID representing the subnet ";
445 description "VPN Instance name";
449 description "DpnId for the DPN used as nexthop for this subnet";
459 Clustering considerations
460 -------------------------
463 Other Infra considerations
464 --------------------------
467 Security considerations
468 -----------------------
471 Scale and Performance Impact
472 ----------------------------
486 * Configure MPLS/GRE tunnel endpoint on DCGW connected to public-net network
488 * Configure neutron networking-odl plugin
490 * Configure BGP speaker in charge of retrieving prefixes for/from data center
491 gateway in ODL through the set of vpnservice.bgpspeaker.host.name in
492 etc/custom.properties. No REST API can configure that parameter.
493 Use config/ebgp:bgp REST api to start BGP stack and configure VRF, address
494 family and neighboring. In our case, as example, following values will be used:
498 rd="100:2" # internet VPN
502 import-rts="100:1 100:2"
503 export-rts="100:1 100:2"
506 Following operations are done.
513 "ebgp:stalepath-time": "360",
514 "ebgp:router-id": "<ip-bgp-stack>",
515 "ebgp:announce-fbit": "true",
516 "ebgp:local-as": "<as>"
520 "ebgp:remote-as": "<as>",
521 "ebgp:address-families": [
524 "ebgp:peer-ip": "<neighbor-ip-address>",
528 "ebgp:address": "<neighbor-ip-address>"
534 * Configure BGP speaker on DCGW to exchange prefixes with ODL BGP stack. Since
535 DCGW should be a vendor solution, the configuration of such equipment is out of
536 the scope of this specification.
538 * Create a neutron router
542 neutron router-create router1
544 * Create an external network
548 neutron net-create --router:external=true gateway_net
550 * Create an internal tenant network with an IPv6 (or dual-stack) subnet.
554 neutron net-create private-net
555 neutron subnet-create --name ipv6-int-subnet --ip-version 6
556 --ipv6-ra-mode slaac --ipv6-address-mode slaac private-net 2001:db8:0:2::/64
558 * Use neutronvpn:createL3VPN REST api to create L3VPN
562 POST /restconf/operations/neutronvpn:createL3VPN
569 "name":"internetvpn",
570 "route-distinguisher": [100:2],
571 "export-RT": [100:2],
572 "import-RT": [100:2],
573 "tenant-id":"tenant_uuid"
579 * Associate the private network with the router
583 neutron router-interface-add router1 ipv6-int-subnet
585 * Associate the external network with the router
589 neutron router-gateway-set router5 GATEWAY_NET
591 * Associate internet L3VPN To Network
595 POST /restconf/operations/neutronvpn:associateNetworks
599 "vpn-id":"vpnid_uuid_1",
600 "network-id":"network_uuid"
604 * Spawn a VM in the tenant network
608 nova boot --image <image-id> --flavor <flavor-id> --nic net-id=<private-net> VM1
614 GET /restconf/config/odl-fib:fibEntries
620 "routeDistinguisher": <rd-uuid_1>
623 "routeDistinguisher": <rd_vpn1>,
626 "destPrefix": <IPv6_VM1/128>,
628 "nextHopAddressList": [
636 "routeDistinguisher": <rd-uuid_2>
639 "routeDistinguisher": <rd_vpninternet>,
642 "destPrefix": <IPv6_VM1/128>,
644 "nextHopAddressList": [
658 odl-netvirt-openstack
672 Philippe Guibert <philippe.guibert@6wind.com>
675 Noel de Prandieres <prandieres@6wind.com>
677 Valentina Krasnobaeva <valentina.krasnobaeva@6wind.com>
682 * Validate proposed changes - reuse subnetmap
683 * Implement NeutronVpn and VpnManager
692 The configurations 1 and 2 will be used.
693 For each of the configs used, the internet VPN method will be used.
694 Also, each config will be done with dual stack router, and with IPv6 router only.
695 3 operations will trigger the association between private network and external network:
696 - associate subnet to router
697 - associate Router to External Network
698 - associate External Network to Internet VPN
700 Following workflows should be tested OK
702 - Subnets -> Router, Router -> Ext Net, Ext Net -> Int. VPN
704 - Subnets -> Router, Ext Net -> Int. VPN, Router -> Ext Net
706 - Ext Net -> Int. VPN, Router -> Ext Net, Subnets -> Router
708 - Router -> Ext Net, Ext Net -> Int. VPN, Subnets -> Router
710 - Router -> Ext Net, Subnets -> Router, Ext Net -> Int. VPN
712 - Ext Net -> Int. VPN, Subnets -> Router, Router -> Ext Net
728 A design document will be provided.
729 Necessary documentation would be added on how to use this feature.
733 [1] `OpenDaylight Documentation Guide <http://docs.opendaylight.org/en/latest/documentation.html>`__
735 [2] https://specs.openstack.org/openstack/nova-specs/specs/kilo/template.html
737 [3] http://docs.openstack.org/developer/networking-bgpvpn/overview.html
739 [4] `BGP-MPLS IP Virtual Private Network (VPN) Extension for IPv6 VPN
740 <https://tools.ietf.org/html/rfc4659>`_
742 [5] `Spec to support IPv6 Inter DC L3VPN connectivity using BGPVPN.
743 <https://git.opendaylight.org/gerrit/#/c/50359>`_
745 [6] `Spec to support IPv6 North-South support for Flat/VLAN Provider Network.
746 <https://git.opendaylight.org/gerrit/#/c/49909/>`_
748 [7] `External Network connectivity in IPv6 networks.
749 <https://drive.google.com/file/d/0BxAspfn9mEi8OEtvVFpsZXo0ZlE/view>`_
751 [8] `BGP/MPLS IP Virtual Private Networks (VPNs)
752 <https://tools.ietf.org/html/rfc4364#section-11>`_
754 [9] `IPv6 Support in MPLS over GRE overlays
755 <https://docs.google.com/presentation/d/1Ky-QIrIhdaus0m7e2rIkKDS3rJx7ro-yzTWb89w08pU/edit#slide=id.p7>`_
757 [10] `Spec to support L3VPN dual stack for VMs
758 <https://git.opendaylight.org/gerrit/#/c/54089/>`_