皆さんこんにちは。では始めましょう。このセッションはIPv6のレッスンについてデプロイメントのオープンスタッグのインバイラメントを紹介します。オープンスタッグアップスリムデベローパーヌートロンホライズンコアレビューラーデプロイメントデプロイメントクラウドアキテクトお前に主題を紹介します。何か言うのがIPv6が重要なのかすみません。IPv6のアドレスを拒否してアドレスを拒否してスマーシティーイオティーモブメントをオープンスタッグにテレコにIPv6のエラーを準備します。オープンスタッグのデプロイメントデプロイメントクラウドアキテクトデプロイメントデプロイメントデプロイメントデプロイメントIPv6のミタカーをリリースしています。いろいろなコンセプトのデプロイメントをオープンスタッグにテレコにIPv6のコンセプトデプロイメントをオープンスタッグにテレコにこのタッグをこのタッグがテレコにを換えてエラーにメッセプトにパラシス bouncing redeスタッグはそしてタイミングのリプレイヤーが成功されています3つのポイントはルーティンコンシュラレーションI think it is a very interesting point on IPv6There are not this kind of problem on IPv4ネットワークIn addition, we tested various VNF implementationincluding neutron router, third-party VNF routers, or firewallsI will cover these in the above topicsThe first topic is IPv6 address allocationIt is about how to manage IP address poolsI think at first I like to check requirementsYou'd like to assign a global unique address GUA to tenantsIn addition, a global address should be assigned to a specific address rangeoperator wants to specify themOn the other hand, we'd like to allow tenants to use their own IP addressGlobal address is not required unless they are not connected to externalTo achieve this, there are two solutionsNutron subnet pool is a good feature to manage thisSecond point, we can still use the regacy way to specifywhen creating a subnetWhat is a subnet pool?Subnet pool is a neutron conceptIt defines a cider pool and allocates cider for a subnet from the poolSubnet is a set of IP addressesSubnet pool is a set of subnetsFor example, what we can do by thisWe no longer need to take care of which cider is used or notSubnet pool maintains an assigned ciderOpenStack operators can define desired IP range in advanceand force users to consume itIt also allows us to assign no overlapping addressesadress ranges across tenantsSubnet pool operation is like thisNutron, at first, we create a neutron subnet poolby specifying pool prefixThis is an IP range or a set of subnetsThen we can create subnets from created subnet poolAs you see, there is no IP address to be specifiedInterestingly, if we have no more addresses, we can add more addressesWe can add more addresses by updating subnet poolBy using subnet pool, we can define cider pooland allocate cider to a subnet pool from the poolWe can use this subnet pool concept to manage IPv6 address rangesFirst, create a subnet pool from a global unique addressRedCarterStrings global unique addressIn addition, I specify the prefix range to all 64This is because, at now, Slug or DHPV6V6 stateless modeSlush 64 prefix is actually the only optionto work root advertisementThen mark it, share this subnet poolSo that tenant can consume itOptionally, mark it as a different subnet poolIt is usefulTenant do not need to specify a subnet pool namewhen creating a subnetThis is a tenant-side operationFirst, tenant can check which subnet pool is availableby running open-source subnet pool listThen, create a subnet using this subnet poolIn this example, I specifieduse the whole subnet pool and IPv6So, user tenant can easily create a subnetunless they need to know the detailI think to note is quarter subnet poolSubnet pool supports quarterIn IPv4 case, quarter is counted by the number ofassigned IP addressesOn the other hand, in IPv6, quarter is calculatedas a number of Slush 64 subnetsIf the subnet pool quarter is threetenant can allocate three Slush 64 subnetsI think Slush 64 is a minimum allocation unitSo it is really reasonableThis is how global unique address pool is managedThe next topic is IP address configurationThis is how IPv6 addresses and additional informationconfigure to VM or IPv6 clientThis is IPv6 specificationAnd now, there are three configuration modesSlug, DHP stateless, and DHP statefulI think it is if you are running IPv6environment, you might be familiar with thatHere is a rough summary of three modesIn Slug, IPv6 address of a client is configuredbased on router advertisement from upstream routerTherefor, the gateway is also configured based on the router IP addressAnd recently, optionally,DS information can be advertised throughrouter advertisement messagesOne thing to note is only 64 prefix is supportedIn DHP v6 stateless, IPv6 address is configured based on router advertisementThis is the same as Slug modeDifferent thing is other information is retrieved from DHP v6I think this is the one mostly commonly usedIt is because it was the only way to distribute DNS informationbefore DNS support in RWA was addedThis is v6 statefulThis is different from above tooAll information including addresses are configuredbased on DHP v6 protocolI heard the gateway is not configured properlyHonestly, I'm not so familiar with DHP v6 statefulThis information might be wrongThis configuration mode is termined based on router advertisement flagsThere are two flags, managed flag and other flagNeutron exposes all modesBut it is necessary to not necessarily all modes are availableIt depends on back-end implementationSo how Neutron allows us to specify these behaviorNeutron has two attributes related to IPv6 configurationsTwo modes, IPv6 address mode and RA modeThere are constraints between these two attributesIt is summarized in the OpenStack Network GuideLet's see itThis is a bit long tableI think, I hopeThe top entry is just for back-end compatibility6th entry at the bottom is invalid configurationThe remaining combinationThese three modes supported by Neutron reference implementationIt means layer 3 agent and DHP agentThe remaining combination is not supported by reference implementationBut if you want different router implementationWhat value should I specify?I'd like to understand what it meansLet's see it in more detailFirst one is IPv6 address modeIt specifies how IPv6 address is generated and assignedThe main player is IP address management, IPAM, and DHP implementationDNSmask DHP agentIn this modeIn Slug and DHP stateless modeLower half beats of addresses are generated from MAC addressesNeutron handles IP address generation speciallyfor these two modesThe second mode is IPv6 RA modeThis mode specifies how Neutron router sends router advertisementIf Neutron router is provisionedIf these three modes are specified, Neutron sets upRouter Advertise Daemon, RA DVD or Router Network Name SpaceDemon sends router advertisement to clientRouter Advertise flag is set accordinglybased on subnet attributesIf the attribute is not specified, Neutron does nothingこの理解は、デプロイメントシナリオについて説明します。左側は、ヌートロンデプロイメントの特徴です。これは最も簡単です。ヌートロンラウターは、ヌートロンエルスリープラグインで作られています。BNFのバッチアプライアンスは、ヌートロンについて説明しています。このパターンは、ヌートロンについて説明しています。右側は、ヌートロンのケースです。BNFはヌートロンについて説明しています。ヌートロンは、ヌートロンラウターで作られています。VMのアクターはヌートロンのプロステクティブで、ヌートロンラウターはヌートロンのプロステクティブで作られています。ですが、ヌートロンは外装パ�네のロービングを保つためです。このパターンは相当 porkrをプロ捨信するべきです。右側は複INAUDIBLEケースです。バッチアプライアンスには、ヌートロンのVMで構成する賃金クリアを wheatSoundにスコもうじつ使用しています。アップスリー・ムラウダーはネットワーキングの組み合わせでIPv6モードを使うことができます最初はテナンニュートロン・ルータシナリオですこれが簡単ですこのバリューはIPアドレス・アドレス・モードとRAモードを使うことができます3Dプラグインツの場合はチェックをする必要がありますが多くの場合はロータシナリオができます前提は親子のMHRータシナリオです dimension2.4 o.1ヌートロンのパスペクティブのヌートロンパスペクティブのRAMオーディーはないかと言いますが、ヌートロンロータはVMのようになります。については、ヌートロンパスペクティブのヌートロンバスペクティブのかと言いますが、ヌートロンバスペクティブのヌートロンバスペクティービスペクティブの図柄を届けました。2つ目はDHPV6 ステイトレスケースこのケースはVNF ロータスに移動されたルーターアドパファイズメントです同じようにスラックに移動されています2つ目はDHPV6 ステイトレスケースNUTRONのアドレスモードはDHPV6 ステイトレスケースNUTRONはDHPV6のアドレスモードを使っていますVNF ロータスはDHPV6のアドレスモードを使っています2つ目のDHP ステイトレスケースはDHPV6のアドレスモードを使っています私の今のお話はDHPV6のDNFサイドでDHPV6を使っていますDHPV6のステイトレスケースは同じように同じように同じようにDHPV6のステイトレスケースのアドレスモードはDHPV6のステイトレスケース最後のケースはプロヴァリアルーターですこのケースはアップストリームラウターでDHPV6のアドパファイズメントを使っていますこのスナリオを作っていますDHP V6 ステイトレスモードと同じように同じようにDHPV6のステイトレスケースは同じように気にならないとdcpv6 statefoil is more complicated in this case ipv6 address is maintained by a neutron side but the upstream router does not collaborate with neutrons so there is no way to know the upstream router knows what ipv6 address is configuredI think it does not work and we should avoid this scenario for provider router case as a last slide of this topic I'd like to share a small result of ipv6 2MOS per vnffor slack only Cisco vnf support dns option in rmsh with surprising thing is neutron redvd implementation shown does not support dns option but it's as far as I checked it seems just we are not passing dns information to redvd configurationfor dhpv6 stateless case some vnf does not support this mode intersec and parallel to this these appliance only supports slack there is no configuration to change itdns option in neutron is not provided this needs some investigation this is just a snapshot result so it shows usdedicator throughout test is required let's move on to the routing topicI'd like to cover two routing topics the first one is how to reach tenance network from the internetwhy it is important someone thinks it is a requirement for internet to deliver a packet from the internet to tenance network the upstream router must know the truth to tenance networkin ipv6 tenance network get global address dynamically so the root table on the upstream left side needs to be updated tenance network and router are created by self service so we need some mechanism to update root automaticallythere are several possible options to update the root to tenance network dynamically the one option is dynamic routing using routing protocolvgp osp if I think a good option the other option is to use prefix delegation let's look at them one by onethe first one is dynamic routing with vgpneutron itself supports vgp dynamic routing route advertisement in this case open stack deployment act as one asand vgp pring is created between vgp agent on the top and the upstream routerthen when tenance network and router is created vgp agent advertise new root to the upstream routersnot that only networks which belong to the same address scope of the external network are advertisedabout address scope I will explain it in the coming slideit is a concept which IP addresses can communicate directly with each otherthis is vgpthe second option is dynamic routing is OSPFOSPF can be used for dynamic routing configurationrouter relationship is created between the router and the upstream routeronce a relationship is establishedrouter advertises root to tenance networkOSPF is useful for smaller deployment as some operators do not want to run vgp in their data centerin addition most vnf router support OSPF and it is a good option I thinkbut unfortunately there is no neutral integration is implemented so farthe third option is prefix delegationIPv6 prefix delegation is a completely different approach from the dynamic routingthis is originally IP address management mechanism and IP address management mechanismthere are two players prefix delegation PD server and PD clientthe upstream router is a prefix delegation serverand this manages IP address whole IP address ranges for tenance networkopenstack itself does not need to manage IP addresses rangesneutron router is a prefix delegation clientif it requests the prefix delegation serverassign the IP address ranges to a neutron routerneutron router assigns an IP address to back end vm from that rangethe important point is the upstream router can set up a root to neutron routerwhen assigning IP address rangethe router knows IP address or neutron router prefix delegation clientso it can configure roots to tenance networkso there is a neutron integration and it is a good optionhere is a comparison of these three techniquesthere are merit and demerit as I already coveredand so choice depends on network I think choices depend on the networking policyand what kind of router types you usefor example, BGP has a good neutron integrationbut if operator do not want to use BGP we cannot useOSPF is another good optionbut the neutron integration is not thereso there are some orchestration mechanisms requiredfor prefix delegation it is good neutron integrationbut one limitation is it only supports simple topologywe cannot nest tenance routerfor example, if tenance want to place a firewall before tenance routerso back end router cannot beIP address of the back end router cannot be configured through prefix delegation I thinkthis is the first topic of routing considerationsthe second routing consideration is how to prevent and authorize global addressesneutron allows tenance assign arbitrary IP addressesin addition in IPv6 global unique address assign tenance from specific rangesso what happens if someone assigns overlapping address rangesother tenance we need a way to block such and authorize global unique addressassigned by tenance the answer is neutron address scopethis concept is neutron specific and this is a concept to definewhich IP addresses can directly communicate each othersubnet pool islet's see this examplein this example net1 and net2associated with address scope 1 through subnet pool 1net2,net3 is associated with different address scopein this case traffic between net1 and net2 can be forwardallowed to forward but router drops traffic from net3 to net1because they belong to different address scopeby using address scope operator canonly allow traffic from IP range they authorize to internetto do this administrator prepare shared address scopeand share the subnet pooltenant usercreate shared address scope and subnet pool indicatesshared address scope 1 and 2and then create a subnet or external networkthe left side from the above subnet poolso at now external network belongs to address scope 1tenant user create net2 and create subnet from subnet pool 1tenant network belongs to address scope 1,2these two network,network 2,tenant network and external networkcan communicate directlyon the other hand,tenant create another networknet3 from another subnet poolspecify side explicitlythey cannot communicate to the outsideso this is a summary of the command lineno new things appears herefinally,I'd like to share some interesting topics we learnedI think the third thing is interestingWindows support address randomization for UI 64 addressesit randomize lower half of 64 bitit randomize lower half of 64 bitsthis area corresponds to MAC addressesWindows support fml ipv6 address is supportedrandomization is enabled by defaultit works for slug case becauseneutron isn't involved in any address configurationbut the generated ipv addresses will be different fromneutron port databasedebugging might be difficultthis is the limitation of the currentneutron and windows supportso most vnf does not provide neutron layer 3 plug-inso if we want to use such vnfwe need some orchestrator to retrieve information from neutronfor example,we need ipv6 address to attribute from subnetto configure ipv4 rf flagsas an example is address scopeand we need to retrieve address scope informationassociated with neutron networkthat's the last slideI talked about my experience on ipv6 poc deploymentI hope it helps introduction of ipv6 deploymentas a small summary,most thing works wellbut there are some things remaining to be improvedlet's share knowledge and upstream itthanks,thanks for coming