Bug 1687457
| Summary: | Neutron doesn't allow the gateway to be the first v6 address | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | David Vallee Delisle <dvd> |
| Component: | openstack-neutron | Assignee: | Nate Johnston <njohnston> |
| Status: | CLOSED ERRATA | QA Contact: | Roee Agiman <ragiman> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | 13.0 (Queens) | CC: | amuller, bhaley, chrisw, marjones, mircea.vutcovici, njohnston, scohen |
| Target Milestone: | --- | Keywords: | Triaged, ZStream |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-neutron-12.0.5-16.el7ost | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-07-10 13:02:00 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
When looking at the RFC [1], there's no mention that this can't be the gateway address. [1] https://tools.ietf.org/html/rfc4291#section-2.6.1 As mentioned by DVD, the anycast address is used for router redundancy. It is predefined, this means that it should be considered as a valid value for neutron. However neutron validation code is based on legacy IPv4 and applied to IPv6 too. The validation code in Neutron fails to consider the address as a valid IPv6 destination address. I am adding the excerpt from RFC4291: The Subnet-Router anycast address is predefined. Its format is as follows: | n bits | 128-n bits | +------------------------------------------------+----------------+ | subnet prefix | 00000000000000 | +------------------------------------------------+----------------+ The "subnet prefix" in an anycast address is the prefix that identifies a specific link. This anycast address is syntactically the same as a unicast address for an interface on the link with the interface identifier set to zero. Packets sent to the Subnet-Router anycast address will be delivered to one router on the subnet. All routers are required to support the Subnet-Router anycast addresses for the subnets to which they have interfaces. The Subnet-Router anycast address is intended to be used for applications where a node needs to communicate with any one of the set of routers. Filed upstream change to fix this in master. I have marked the change as blocked for now upstream: https://review.openstack.org/#/c/647484/ The reason for this is that while the first address is a valid address, that doesn't mean we should give it out to just anyone. Since the first address is specific to anycast-router we should also modify Neutron IPAM to ensure that only routers get the first address. This is a deeper code change, and is not as obvious as one might assume. I plan on discussing with the Neutron development community in the PTG meeting in early May in Denver. This change will be held in abeyance until that issue is resolved. Note: Changed priority and severity to match the customer case. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:1744 |
Description of problem: It seems to be checking with rules [1] that make sense for IPv4 but not necessarily v6. We've found this bug upstream that was closed [2]. The client treats it like any other unicast address The benefit is the routers could have any address (like eui-64) assigned but they'll still listen for <net>:: So you don't have to know the router ip from the client config Version-Release number of selected component (if applicable): all How reproducible: All the time Steps to Reproduce: 1. Create external subnet using the first address as unicast Actual results: openstack --debug subnet create external-subnet --ip-version 6 --subnet-range abc:def:162:221::/64 --gateway abc:def:162:221:0:0:0:0 --network external RESP BODY: {"NeutronError": {"message": "Invalid input for operation: Gateway is not valid on subnet.", "type": "InvalidInput", "detail": ""}} Expected results: It should work Additional info: [1] neutron/ipam/utils.py: def check_gateway_invalid_in_subnet(cidr, gateway): """Check whether the gw IP address is invalid on the subnet.""" ip = netaddr.IPAddress(gateway) net = netaddr.IPNetwork(cidr) # Check whether the gw IP is in-valid on subnet. # If gateway is in the subnet, it cannot be the # 'network' or the 'broadcast address (only in IPv4)'. # If gateway is out of subnet, there is no way to # check since we don't have gateway's subnet cidr. return (ip in net and (ip == net.network or (net.version == constants.IP_VERSION_4 and ip == net[-1]))) [2] https://bugs.launchpad.net/neutron/+bug/1682094