NDP Proxy¶
如果路由器上设置了 NDP 代理,它将被用于向外部路由器发布 IPv6 地址。其目的类似于浮动 IP,但它通过使用路由规则直接转发流量,且没有 NAT 操作。请阅读相关的 规范 以获取更多详细信息。
NDP 代理的配置¶
要配置 NDP 代理,请执行以下步骤
在控制器节点上
将
ndp_proxy服务添加到service_plugins设置中,位于[DEFAULT]部分的/etc/neutron/neutron.conf文件中。例如[DEFAULT] service_plugins = router,ndp_proxy
注意
必须与
ndp_proxy服务插件一起配置router服务插件。在网络节点或计算节点上(对于 dvr 模式路由器)
将
extensions选项设置为[agent]部分的/etc/neutron/l3_agent.ini文件中,以包含ndp_proxy。这必须在运行 L3 代理的每个网络和计算节点上完成。例如extensions = ndp_proxy
注意
更新配置文件中的选项后,需要重新启动 neutron-server 和每个 neutron-l3-agent,以使新值生效。
配置 NDP 代理后,ndp-proxy 扩展别名将包含在以下命令的输出中
对于 API 扩展
$ openstack extension list --network
对于代理扩展
$ openstack network agent show <l3-agent-id>
注意
我们引入了一个新的命令 ndsend 用于 NDP 代理功能,该命令可以向 upstream 路由器发送关于 IPv6 的邻居通告。使用此命令,我们可以使 upstream 路由器快速感知内部 IPv6 地址的变化(例如,端口迁移到其他节点)。请阅读 手册页 以获取有关此命令的更多详细信息。
目前,您需要在每个 L3 代理节点上手动安装此命令。对于 Ubuntu,该命令由 vzctl pkg 提供,安装命令:sudo apt install vzctl。
在 upstream 路由器上(数据中心的物理路由器)
通常,管理员应该计划一个或多个 IPv6 subnetpools 在启用 NDP 代理时使用,以便所有内部子网可以从单个集成的 subnetpool 分配。为了使 NDP 代理正常工作,管理员需要为这些 subnetpools 设置直接路由。
例如,我们有一个 IPv6 subnetpool,其 CIDR 是 2001:db8::/96。应该设置如下直接路由
2001:db8::/96 dev <ext-gw>其中
ext-gw是云的外部网络的网关接口。
用户流程¶
将 IPv6 地址发布到外部网络(例如:公共网络)的基本步骤如下
注意
为了防止潜在的 安全风险,NDP 代理功能要求使用 IPv6 地址范围,以确保外部发布的 IPv6 地址的唯一性。
创建 IPv6 地址范围
$ openstack address scope create test-ipv6-as --ip-version 6 +------------+--------------------------------------+ | Field | Value | +------------+--------------------------------------+ | id | 24761ec5-b659-4358-b9ab-495ead15fa7a | | ip_version | 6 | | name | test-ipv6-as | | project_id | bcb0c7a5338b4a46959e47971c58f0f1 | | shared | False | +------------+--------------------------------------+
创建 IPv6 subnet pool
$ openstack subnet pool create test-subnetpool --address-scope test-ipv6-as \ --pool-prefix 2001:db8::/96 --default-prefix-length 112 +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | address_scope_id | 24761ec5-b659-4358-b9ab-495ead15fa7a | | created_at | 2022-09-05T06:16:31Z | | default_prefixlen | 112 | | default_quota | None | | description | | | id | 4af07f59-45b8-424d-98c5-35d20ba61526 | | ip_version | 6 | | is_default | False | | max_prefixlen | 128 | | min_prefixlen | 64 | | name | test-subnetpool | | prefixes | 2001:db8::/96 | | project_id | bcb0c7a5338b4a46959e47971c58f0f1 | | revision_number | 0 | | shared | False | | tags | | | updated_at | 2022-01-01T06:42:08Z | +-------------------+--------------------------------------+
创建外部网络
$ openstack network create --external --provider-network-type flat \ --provider-physical-network public public +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2022-09-05T06:18:31Z | | description | | | dns_domain | None | | id | 98b0f468-7be0-4530-919d-c4d9417c3abf | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | False | | is_vlan_transparent | None | | mtu | 1500 | | name | public | | port_security_enabled | True | | project_id | bcb0c7a5338b4a46959e47971c58f0f1 | | provider:network_type | flat | | provider:physical_network | public | | provider:segmentation_id | None | | qos_policy_id | None | | revision_number | 1 | | router:external | External | | segments | None | | shared | False | | status | ACTIVE | | subnets | | | tags | | | updated_at | 2022-01-01T06:45:08Z | +---------------------------+--------------------------------------+
创建外部子网
$ openstack subnet create --network public --subnet-pool test-subnetpool \ --prefix-length 112 --ip-version 6 --no-dhcp ext-sub +----------------------+--------------------------------------+ | Field | Value | +----------------------+--------------------------------------+ | allocation_pools | 2001:db8::2-2001:db8::ffff | | cidr | 2001:db8::/112 | | created_at | 2022-09-05T06:21:37Z | | description | | | dns_nameservers | | | dns_publish_fixed_ip | None | | enable_dhcp | False | | gateway_ip | 2001:db8::1 | | host_routes | | | id | ec11de28-9b84-4cee-b6a1-0ed56135bcd8 | | ip_version | 6 | | ipv6_address_mode | None | | ipv6_ra_mode | None | | name | ext-sub | | network_id | 98b0f468-7be0-4530-919d-c4d9417c3abf | | project_id | bcb0c7a5338b4a46959e47971c58f0f1 | | revision_number | 0 | | segment_id | None | | service_types | | | subnetpool_id | 4af07f59-45b8-424d-98c5-35d20ba61526 | | tags | | | updated_at | 2022-01-01T06:47:08Z | +----------------------+--------------------------------------+
创建路由器
$ openstack router create test-router +-------------------------+--------------------------------------+ | Field | Value | +-------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2022-01-01T06:50:44Z | | description | | | distributed | False | | enable_ndp_proxy | False | | external_gateway_info | null | | flavor_id | None | | ha | False | | id | 3aab8554-e5c4-4262-ab95-b92857c641de | | name | test-router | | project_id | bcb0c7a5338b4a46959e47971c58f0f1 | | revision_number | 1 | | routes | | | status | ACTIVE | | tags | | | updated_at | 2022-01-01T06:50:44Z | +-------------------------+--------------------------------------+
为路由器设置外部网关
$ openstack router set test-router --external-gateway public
注意
如果外部网络没有 IPv6 子网,并且在
neutron-l3-agent上配置了ipv6_gateway,您可能需要将use_lla_address设置为 True 在/etc/neutron/neutron.conf,否则以下命令将引发 403 错误。在路由器上启用 NDP 代理支持
$ openstack router set test-router --enable-ndp-proxy
创建内部网络和 IPv6 子网,并将子网添加到上述路由器
$ openstack network create int-net +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2022-01-01T07:11:08Z | | description | | | dns_domain | None | | id | e527b38e-9e2a-439b-adf8-4ee1aa4f03b1 | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | False | | is_vlan_transparent | None | | mtu | 1450 | | name | int-net | | port_security_enabled | True | | project_id | bcb0c7a5338b4a46959e47971c58f0f1 | | provider:network_type | vxlan | | provider:physical_network | None | | provider:segmentation_id | 575 | | qos_policy_id | None | | revision_number | 1 | | router:external | Internal | | segments | None | | shared | False | | status | ACTIVE | | subnets | | | tags | | | updated_at | 2022-01-01T07:11:08Z | +---------------------------+--------------------------------------+ $ openstack subnet create --network int-net --subnet-pool test-subnetpool \ --prefix-length 112 --ip-version 6 \ --ipv6-ra-mode dhcpv6-stateful \ --ipv6-address-mode dhcpv6-stateful int-sub +----------------------+--------------------------------------+ | Field | Value | +----------------------+--------------------------------------+ | allocation_pools | 2001:db8::1:2-2001:db8::1:ffff | | cidr | 2001:db8::1:0/112 | | created_at | 2022-09-05T06:24:13Z | | description | | | dns_nameservers | | | dns_publish_fixed_ip | None | | enable_dhcp | True | | gateway_ip | 2001:db8::1:1 | | host_routes | | | id | 9bcf194c-d44f-4e6f-90da-98510ddef283 | | ip_version | 6 | | ipv6_address_mode | dhcpv6-stateful | | ipv6_ra_mode | dhcpv6-stateful | | name | int-sub | | network_id | e527b38e-9e2a-439b-adf8-4ee1aa4f03b1 | | project_id | bcb0c7a5338b4a46959e47971c58f0f1 | | revision_number | 0 | | segment_id | None | | service_types | | | subnetpool_id | 4af07f59-45b8-424d-98c5-35d20ba61526 | | tags | | | updated_at | 2022-01-02T08:20:26Z | +----------------------+--------------------------------------+ $ openstack router add subnet test-router int-sub
启动实例
$ openstack server create --flavor m1.tiny --image cirros-0.5.2-x86_64-disk --network int-net test-server +-------------------------------------+-----------------------------------------------------------------+ | Field | Value | +-------------------------------------+-----------------------------------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | | | OS-EXT-SRV-ATTR:host | None | | OS-EXT-SRV-ATTR:hypervisor_hostname | None | | OS-EXT-SRV-ATTR:instance_name | | | OS-EXT-STS:power_state | NOSTATE | | OS-EXT-STS:task_state | scheduling | | OS-EXT-STS:vm_state | building | | OS-SRV-USG:launched_at | None | | OS-SRV-USG:terminated_at | None | | accessIPv4 | | | accessIPv6 | | | addresses | | | adminPass | 97UvRLgdFozR | | config_drive | | | created | 2022-01-02T08:22:35Z | | flavor | m1.tiny (1) | | hostId | | | id | 189a104c-36cd-479a-8702-8111eb34fdb6 | | image | cirros-0.5.2-x86_64-disk (2b2d2975-7ffc-463b-8c0e-993122f38b77) | | key_name | None | | name | test-server | | progress | 0 | | project_id | bcb0c7a5338b4a46959e47971c58f0f1 | | properties | | | security_groups | name='default' | | status | BUILD | | updated | 2022-01-02T08:22:34Z | | user_id | 27e0947bb4fe47e4981da31d4a18ddf7 | | volumes_attached | | +-------------------------------------+-----------------------------------------------------------------+
为实例的端口创建 NDP 代理
查询实例的端口
$ openstack port list --server test-server +--------------------------------------+------+-------------------+--------------------------------------------------------------------------------+--------+ | ID | Name | MAC Address | Fixed IP Addresses | Status | +--------------------------------------+------+-------------------+--------------------------------------------------------------------------------+--------+ | bdd64aa0-437a-4db6-bbca-99869426c908 | | fa:16:3e:ac:15:b8 | ip_address='2001:db8::1:284', subnet_id='9bcf194c-d44f-4e6f-90da-98510ddef283' | ACTIVE | +--------------------------------------+------+-------------------+--------------------------------------------------------------------------------+--------+
为端口创建 NDP 代理
$ openstack router ndp proxy create test-router --port bdd64aa0-437a-4db6-bbca-99869426c908 --name test-np +-----------------+--------------------------------------+ | Field | Value | +-----------------+--------------------------------------+ | created_at | 2022-01-02T08:25:31Z | | description | | | id | 73889fee-e322-443f-941e-142e4fc5f898 | | ip_address | 2001:db8::1:284 | | name | test-np | | port_id | bdd64aa0-437a-4db6-bbca-99869426c908 | | project_id | bcb0c7a5338b4a46959e47971c58f0f1 | | revision_number | 0 | | router_id | 3aab8554-e5c4-4262-ab95-b92857c641de | | updated_at | 2022-01-02T08:25:31Z | +-----------------+--------------------------------------+
然后从 upstream 路由器 ping 端口的地址
$ ping 2001:db8::1:284 PING 2001:db8::1:284(2001:db8::1:284) 56 data bytes 64 bytes from 2001:db8::1:284: icmp_seq=1 ttl=64 time=0.365 ms 64 bytes from 2001:db8::1:284: icmp_seq=2 ttl=64 time=0.385 ms
注意
您可能还需要添加一个安全组规则,允许指向实例的 ICMPv6 流量。
已知限制¶
将 NDP 代理与 OVN 后端结合使用不受支持。
