Network Working Group Y. Bai
Internet-Draft C. Bao
Intended status: Informational CERNET Center/Tsinghua University
Expires: March 25, 2015 K. Yin
Cisco Systems
X. Li
CERNET Center/Tsinghua University
September 21, 2014
IPv4/IPv6 Transition Practice in OpenStack
draft-ybai-ipv4v6-transition-practice-in-openstack-00
Abstract
OpenStack is a free and open-source software cloud computing
platform. It is primarily deployed as an infrastructure as a service
(IaaS) solution. However, OpenStack is designed mainly for IPv4, it
internally uses [RFC1918] addresses and heavily relies on NAT to map
RFC1918 addresses to public IPv4 addresses known as floating IP
addresses for the external access. Due to the different nature of
IPv6 and IPv4, the IPv6 support for the OpenStack is still in the
early stage. In this document, two mechanisms are presented to
provide IPv4/IPv6 dual stack external access for the OpenStack, one
scenario is internal IPv4 and uses stateful IPv4/IPv6 translator for
the external IPv6 access, and another scenario is internal IPv6 and
uses stateless IPv4/IPv6 translation for the external IPv4 access.
Both mechanisms have been deployed in CERNET and providing services
to the global IPv4/IPv6 Internet.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 25, 2015.
Bai, et al. Expires March 25, 2015 [Page 1]
Internet-Draft IPv4/IPv6 Transition Practice in OpenStack September 2014
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. IPv4/IPv6 access to IPv4-only Cloud . . . . . . . . . . . . . 3
2.1. Current IPv4 OpenStack Network Structures . . . . . . . . 3
2.2. IPv4 Accessibility directly . . . . . . . . . . . . . . . 3
2.3. IPv6 Accessibility via IPv4/IPv6 translator . . . . . . . 4
3. IPv4/IPv6 access to IPv6-only Cloud . . . . . . . . . . . . . 5
3.1. Analysis and recommendations for the Internal Structure
of IPv6 OpenStack . . . . . . . . . . . . . . . . . . . . 5
3.2. IPv4 Accessibility via Translation . . . . . . . . . . . 6
3.2.1. 1:N Stateless Translation . . . . . . . . . . . . . . 7
3.2.2. HTTP Redirection for Web Servers . . . . . . . . . . 8
4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5. Security Considerations . . . . . . . . . . . . . . . . . . . 9
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9
8. Normative References . . . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction
The concept of cloud is growing rapidly, and open-source cloud
platforms such as OpenStack are more and more popular. The network
models inside OpenStack cloud requires public IPv4 addresses for
external access. It's foreseeable that the exhaustion of IPv4 global
addresses would be one of the bottlenecks on deploying clouds in the
future. While the important and urgency of IPv4/IPv6 transition has
been studied widely, the support of IPv6 in OpenStack is still in its
early stage. For example, the private addresses assigned to
instances are not favored in IPv6, and the concepts like "Floating
IP" have no counterparts in IPv6. Therefore, the structure of
OpenStack should be extended to meet the need of IPv6 clouds. This
Bai, et al. Expires March 25, 2015 [Page 2]
Internet-Draft IPv4/IPv6 Transition Practice in OpenStack September 2014
document presents the analysis to extend OpenStack to IPv6. Based on
the extensions presented in this document, it can be shown that using
stateful IPv4/IPv6 translator, the external IPv6-only hosts can
access the existing IPv4-only VMs in OpenStack. We have installed a
new module in OpenStack which enables internal IPv6 support for
OpenStack. By using stateless IPv4/IPv6 translator, external
IPv4-only hosts can access the IPv6-only VMs in OpenStack.
2. IPv4/IPv6 access to IPv4-only Cloud
2.1. Current IPv4 OpenStack Network Structures
Current IPv4 OpenStack network structure can be described as follows.
Rather than directly connect to public network, VM instances are
resided in "Private networks" under their respective tenants and are
assigned with private addresses. To be accessed from the external
networks, those private networks should be linked to public networks
via a virtual device called "virtual router". Some key concepts and
typical techniques of this structure are:
VLAN: VLAN are used to accomplish the segregation of tenants, each
tenant receives one VLAN tag.
Subnets: Each tenant can further divide their networks into
"subnets" with different IP address pool.
NAT: When instances need to access external networks, they share a
public address that is owned by the virtual router.
Floating IP: This is the core concept of OpenStack network
structure. When instances need to be accessed from external
networks, each instance associates its private address with a
public address. The private address is mapped to the public
address on outgoing flow and the public address is mapped to the
private address on ingoing flow, and the mapping is implemented by
the virtual router.
2.2. IPv4 Accessibility directly
In this scenario, instances without Floating IPs could access
external IPv4 Internet via NAT as shown in Figure 1. Here,
40.40.40.40 is the address of the gateway of the virtual router, and
30.30.30.30 is the server that instance want to access. Port1 and
port2 are two different ports, the dynamic mapping relationship is
maintained by the virtual router.
Bai, et al. Expires March 25, 2015 [Page 3]
Internet-Draft IPv4/IPv6 Transition Practice in OpenStack September 2014
+------------------+--------------+-----------------+
| |Internal IPv4 |External IPv4 |
+------------------+--------------+-----------------+
|src(IPv4 Cloud) |10.0.0.1:port1|40.40.40.40:port2|
+------------------+--------------+-----------------+
|dst(IPv4 Internet)|30.30.30.30:80|30.30.30.30:80 |
+------------------+--------------+-----------------+
40.40.40.40 is the gateway of the router
Figure 1: IPv4 cloud access the IPv4 Internet
With Floating IP, IPv4 Internet can access the VM instances as shown
in Figure 2. Here, address 10.0.0.1 is associated with address
40.40.40.41, their static mapping is implemented in the virtual
router.
+------------------+-----------------+-----------------+
| |Internal cloud |External cloud |
+------------------+-----------------+-----------------+
|src(IPv4 Internet)|30.30.30.30:port1|30.30.30.30:port1|
+------------------+-----------------+-----------------+
|dst(IPv4 Cloud) |10.0.0.1:80 |40.40.40.41:80 |
+------------------+-----------------+-----------------+
Figure 2: IPv4 Internet access IPv4 cloud
2.3. IPv6 Accessibility via IPv4/IPv6 translator
This scenario corresponds to the Scenario 3 defined in [RFC6144]:
IPv6 Internet accesses IPv4 network, where the cloud is considered as
an IPv4 network.
As described in [RFC6052], [RFC6145], [RFC6146] and [RFC6147], the
IPv6 prefix, an IPv4 pool to represent the external IPv6 hosts, the
pool for the floating IP, and the DNS AAAA record to represent
IPv4-converted floating IP are configured. The example is shown in
Figure 3, where the IPv6 prefix=2001:da8:e164::/48, the IPv4 pool to
represent the external IPv6 hosts=202.38.97.0/24, the pool for the
floating IP=121.194.167.196/24.
Bai, et al. Expires March 25, 2015 [Page 4]
Internet-Draft IPv4/IPv6 Transition Practice in OpenStack September 2014
+------------------+-------------------------+-------------------------+
| |External IPv6 |Xlate IPv6 side |
+------------------+-------------------------+-------------------------+
|src(IPv6 Internet)|2001:250:3:0:7a26:cbff:: |2001:da8:e164:ca26:6118::|
|port |random port |random port |
+------------------+-------------------------+-------------------------+
|dst(IPv4 Cloud) |2001:da8:e164:79c2:a7c4::|2001:da8:e164:79c2:a7c4::|
|port |80 |80 |
+------------------+-------------------------+-------------------------+
(cont.)
+------------------+---------------+-------------+
| |Xlate IPv4 side|Internal IPv4|
+------------------+---------------+-------------+
|src(IPv6 Internet)|202.38.97.24 |202.38.97.24 |
|port |random port |random port |
+------------------+---------------+-------------+
|dst(IPv4 Cloud) |121.194.167.196|10.10.1.5 |
|port |80 |80 |
+------------------+---------------+-------------+
Figure 3: IPv6 Internet accesses IPv4 Cloud
In this scenario, IPv6 Internet could gain the ability to access
those IPv4 clouds, as long as the instances are associated with
Floating IPs.
3. IPv4/IPv6 access to IPv6-only Cloud
3.1. Analysis and recommendations for the Internal Structure of IPv6
OpenStack
Since the internal support for IPv6 on OpenStack is still in its very
early stage, the IPv6 extension must be developed inside the
OpenStack cloud. The building blocks for the extension includes the
IPv6 address assignment and the floating IPv4 equivalent mechanisms.
For address assignment, several different mechanisms like DHCPv6 and
SLAAC could be used. For external IPv6 access, three possible
solutions could be used, they're NAT66 (like NPT66 defined in
[RFC6296]), ND Proxy (defined in [RFC4389]) and enabling
autoconfiguration of the IPv6 routing protocols (OSPF, BGP).
For NAT66, private addresses like ULA could be used in internal
network, while they're associated to a public address, and this
structure is similar to the IPv4 structure. However, as NAT is
deprecated in IPv6 to ensure end-to-end transparency, this scheme is
strongly opposed by IPv6 community.
Bai, et al. Expires March 25, 2015 [Page 5]
Internet-Draft IPv4/IPv6 Transition Practice in OpenStack September 2014
For ND Proxy, based on the hierarchical address structure, the proxy
rules can be set at the edge of the cloud. Therefore, the router
interface will take the responsibility to respond all the neighbour
discovery request for internal networks. At the current stage, it is
considered that this structure requires minimum changes to both the
OpenStack internal structure, as well as the IPv6 architecture.
For enabling and autoconfiguration of the IPv6 routing protocols
(OSPF, BGP), the virtual router of OpenStack may interact with the
external routers to exchange the routing information to create
routes. However, the function of virtual router in OpenStack is
based on Linux Kernel, and support for a complicated router protocol
would be overkilling for those virtual routers.
Therefore, it is clear that:
1. The NAT66 is almost identical to the current OpenStack IPv4
network structure, while the ND proxy and routing protocol are
not.
2. The NAT66 doesn't maintain the end-to-end transparency in IPv6,
while ND proxy and routing protocol do.
3. The NAT66 scheme will use ULA address inside the cloud, while ND
proxy and routing protocol are using global IPv6 addresses.
4. For ND Proxy, any global address with prefix longer than /64
could be used and therefore the SLAAC should not be used.
5. Routing protocol needs interation with the upstream router, while
NAT66 and ND proxy do not.
As a conclusion, we recommend ND Proxy as the best solution among the
three mentioned above, as it requires the minimum changes to both
internal and external networks, and no additional configurations are
required on upstream router.
3.2. IPv4 Accessibility via Translation
This scenario corresponds to Scenario 2 defined in [RFC6144], where
IPv6 Internet can access IPv6 cloud directly, and IPv4 Internet can
access IPv6 cloud using stateless translator. Using the ND proxy
mechanism described in Section 3.1, the IPv6 Internet Access IPv6
Cloud and the IPv4 Internet Access IPv6 Cloud are shown in Figure 4
and Figure 5, respectively.
Bai, et al. Expires March 25, 2015 [Page 6]
Internet-Draft IPv4/IPv6 Transition Practice in OpenStack September 2014
+------------------+------------------------+------------------------+
| |External IPv6 |Internal IPv6 |
+------------------+------------------------+------------------------+
|src(IPv6 Internet)|2001:250:3:0:7a26:cbff::|2001:250:3:0:7a26:cbff::|
|port |random port |random port |
+------------------+------------------------+------------------------+
|dst(IPv6 Cloud) |2001:250:ca26:6f05::400f|2001:250:ca26:6f05::400f|
|port |80 |80 |
+------------------+------------------------+------------------------+
Figure 4: IPv6 Internet accesses IPv6 Cloud
+------------------+-------------+--------------------+
| |External IPv4|Internal IPv6 |
+------------------+-------------+--------------------+
|src(IPv4 Internet)|30.30.30.30 |2001:250:1e1e:1e1e::|
|port |random port |random port |
+------------------+-------------+--------------------+
|dst(IPv6 Cloud) |202.38.111.5 |2001:250:ca26:6f05::|
|port |80 |80 |
+------------------+-------------+--------------------+
Figure 5: IPv4 Internet accesses IPv6 Cloud
3.2.1. 1:N Stateless Translation
Due to the IPv4 address depletion, the public IPv4 addresses need to
be shared for the cloud environment. Using the method described in
[I-D.bcx-address-fmt-extension], the IPv4 address sharing ratio can
be achieved as high as 4096. The example is shown in Figure 6.
Bai, et al. Expires March 25, 2015 [Page 7]
Internet-Draft IPv4/IPv6 Transition Practice in OpenStack September 2014
+------------------+-------------+-------------------------+
| |External IPv4|Internal IPv6 |
+------------------+-------------+-------------------------+
|src(IPv4 Internet)|30.30.30.30 |2001:250:1e1e:1e1e:: |
|port |random port |random port |
+------------------+-------------+-------------------------+
|dst1(IPv6 Cloud) |202.38.111.5 |2001:250:ca26:6f05:4000::|
|port |80 |80 |
+------------------+-------------+-------------------------+
|dst2(IPv6 Cloud) |202.38.111.5 |2001:250:ca26:6f05:4001::|
|port |81 |81 |
+------------------+-------------+-------------------------+
dst1 and dst2 share the common IPv4 global addresses
202.38.111.5 by multiplexing ports.
Figure 6: IPv4 Internet Access IPv6 Cloud with IPv4 address sharing
3.2.2. HTTP Redirection for Web Servers
However, this address format limits the use of port in instances, for
example, the suffix of the port may be fixed to the offset defined in
the address. For a certain server, rather than use the standard port
numbers like 80 for HTTP server, the server must use non standard
ports like 81 or 82. To solve this problem, redirection could be
used for web servers. For web server, translator would look up the
domain name, then redirect to the corresponding VM instance. In this
way, different cloud servers could share the same IPv4 address and
the same (standard) port to provide service. An example is shown in
Figure 7.
Bai, et al. Expires March 25, 2015 [Page 8]
Internet-Draft IPv4/IPv6 Transition Practice in OpenStack September 2014
+------------------+---------------+-------------------------+
| |External IPv4 |Internal IPv6 |
+------------------+---------------+-------------------------+
|src(IPv4 Internet)|30.30.30.30 |2001:250:1e1e:1e1e:: |
|port |random port |random port |
+------------------+---------------+-------------------------+
|dst1(IPv6 Cloud) |202.38.111.5 |2001:250:ca26:6f05:4001::|
|port |80 |80 |
|domain name |vm1.example.com|vm1.example.com |
+------------------+---------------+-------------------------+
|dst2(IPv6 Cloud) |202.38.111.5 |2001:250:ca26:6f05:4002::|
|port |80 |80 |
|domain name |vm2.example.com|vm2.example.com |
+------------------+---------------+-------------------------+
dst1 and dst2 share the common IPv4 global addresses
202.38.111.5 and standard port 80, they provide services by
standard port 80.
Figure 7: IPv4 Internet Access IPv6 Cloud with HTTP redirection
4. Summary
In current IPv4-only OpenStack, by using extended translation
mechanisms, IPv6 Internet could access IPv4 cloud with little
modification inside the cloud, while native IPv4 accessibility is
remained. By extending IPv6 support in OpenStack, including address
assignment mechanisms and ND Proxy, IPv6 in OpenStack cloud is
enabled. By deploying improved translators and proxies, the
IPv6-only cloud can provide services like SSH (in the case of IPv4
address sharing, using address plus port) and HTTP (in the case of
IPv4 address sharing, using address plus port directly or DNS with
HTTP redirect) to both native IPv6 and IPv4 with IPv4 address sharing
ability.
5. Security Considerations
This document does not introduce any new security considerations.
6. IANA Considerations
None.
7. Acknowledgments
The authors would like to acknowledge the following contributors of
this document: Rong Jin, Qiuhan Ding and Weicai Wang.
Bai, et al. Expires March 25, 2015 [Page 9]
Internet-Draft IPv4/IPv6 Transition Practice in OpenStack September 2014
8. Normative References
[I-D.bcx-address-fmt-extension]
Bao, C. and X. Li, "Extended IPv6 Addressing for Encoding
Port Range", draft-bcx-address-fmt-extension-02 (work in
progress), October 2011.
[RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
E. Lear, "Address Allocation for Private Internets", BCP
5, RFC 1918, February 1996.
[RFC4389] Thaler, D., Talwar, M., and C. Patel, "Neighbor Discovery
Proxies (ND Proxy)", RFC 4389, April 2006.
[RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X.
Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052,
October 2010.
[RFC6144] Baker, F., Li, X., Bao, C., and K. Yin, "Framework for
IPv4/IPv6 Translation", RFC 6144, April 2011.
[RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation
Algorithm", RFC 6145, April 2011.
[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
NAT64: Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers", RFC 6146, April 2011.
[RFC6147] Bagnulo, M., Sullivan, A., Matthews, P., and I. van
Beijnum, "DNS64: DNS Extensions for Network Address
Translation from IPv6 Clients to IPv4 Servers", RFC 6147,
April 2011.
[RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix
Translation", RFC 6296, June 2011.
Authors' Addresses
Yi Bai
CERNET Center/Tsinghua University
Room 225, Main Building, Tsinghua University
Beijing 100084
CN
Phone: +86 10-62785983
Email: yibai.thu@gmail.com
Bai, et al. Expires March 25, 2015 [Page 10]
Internet-Draft IPv4/IPv6 Transition Practice in OpenStack September 2014
Congxiao Bao
CERNET Center/Tsinghua University
Room 225, Main Building, Tsinghua University
Beijing 100084
CN
Phone: +86 10-62785983
Email: congxiao@cernet.edu.cn
Kevin Yin
Cisco Systems
No. 2 Jianguomenwai Ave, Chaoyang District
Beijing 100022
China
Phone: +86-10-8515-5094
Email: wkyin@cisco.com
Xing Li
CERNET Center/Tsinghua University
Room 225, Main Building, Tsinghua University
Beijing 100084
CN
Phone: +86 10-62785983
Email: xing@cernet.edu.cn
Bai, et al. Expires March 25, 2015 [Page 11]