Description of problem: It seems to be checking with rules [1] that make sense for IPv4 but not necessarily v6. We've found this bug upstream that was closed [2]. The client treats it like any other unicast address The benefit is the routers could have any address (like eui-64) assigned but they'll still listen for <net>:: So you don't have to know the router ip from the client config Version-Release number of selected component (if applicable): all How reproducible: All the time Steps to Reproduce: 1. Create external subnet using the first address as unicast Actual results: openstack --debug subnet create external-subnet --ip-version 6 --subnet-range abc:def:162:221::/64 --gateway abc:def:162:221:0:0:0:0 --network external RESP BODY: {"NeutronError": {"message": "Invalid input for operation: Gateway is not valid on subnet.", "type": "InvalidInput", "detail": ""}} Expected results: It should work Additional info: [1] neutron/ipam/utils.py: def check_gateway_invalid_in_subnet(cidr, gateway): """Check whether the gw IP address is invalid on the subnet.""" ip = netaddr.IPAddress(gateway) net = netaddr.IPNetwork(cidr) # Check whether the gw IP is in-valid on subnet. # If gateway is in the subnet, it cannot be the # 'network' or the 'broadcast address (only in IPv4)'. # If gateway is out of subnet, there is no way to # check since we don't have gateway's subnet cidr. return (ip in net and (ip == net.network or (net.version == constants.IP_VERSION_4 and ip == net[-1]))) [2] https://bugs.launchpad.net/neutron/+bug/1682094
When looking at the RFC [1], there's no mention that this can't be the gateway address. [1] https://tools.ietf.org/html/rfc4291#section-2.6.1
As mentioned by DVD, the anycast address is used for router redundancy. It is predefined, this means that it should be considered as a valid value for neutron. However neutron validation code is based on legacy IPv4 and applied to IPv6 too. The validation code in Neutron fails to consider the address as a valid IPv6 destination address. I am adding the excerpt from RFC4291: The Subnet-Router anycast address is predefined. Its format is as follows: | n bits | 128-n bits | +------------------------------------------------+----------------+ | subnet prefix | 00000000000000 | +------------------------------------------------+----------------+ The "subnet prefix" in an anycast address is the prefix that identifies a specific link. This anycast address is syntactically the same as a unicast address for an interface on the link with the interface identifier set to zero. Packets sent to the Subnet-Router anycast address will be delivered to one router on the subnet. All routers are required to support the Subnet-Router anycast addresses for the subnets to which they have interfaces. The Subnet-Router anycast address is intended to be used for applications where a node needs to communicate with any one of the set of routers.
Filed upstream change to fix this in master.
I have marked the change as blocked for now upstream: https://review.openstack.org/#/c/647484/ The reason for this is that while the first address is a valid address, that doesn't mean we should give it out to just anyone. Since the first address is specific to anycast-router we should also modify Neutron IPAM to ensure that only routers get the first address. This is a deeper code change, and is not as obvious as one might assume. I plan on discussing with the Neutron development community in the PTG meeting in early May in Denver. This change will be held in abeyance until that issue is resolved. Note: Changed priority and severity to match the customer case.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:1744