Uploaded image for project: 'OpenShift SDN'
  1. OpenShift SDN
  2. SDN-5435

[OVN-Kubernetes, IPv6] ensure RAs from GW routers of other nodes do not reach the workload LSPs

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • None
    • OVN Kubernetes
    • BU Product Work
    • False
    • None
    • False
    • OCPSTRAT-1613 - Enhance User Defined Networks: Add support for Services(Full), EIP(Full), NetPol: GA
    • ---
    • 0
    • 0

      Per the design , the logical switch that implements the layer2 network will have LSPs representing both the local GW router as well as the remote GW routers (in order to implement features like services / egress IPs).

      For IPv6 to work properly, we need to ensure these "remote" GW routers do not advertise their RAs outside the node they run on - thus we need to install ACLs applying to the logical switch that would drop RAs belonging to these "remote" GW routers.

      matching expression

      • "allow locally generated RAs": acl1: from-lport, prio 2000, match: "inport == <local-GR-port> && nd_ra" then allow
      • "drop all other RAs": acl2: from-lport, prio 1000, match: "nd_ra" then drop

      Also take into account that the proper solution is the future "transit router" topology feature from OVN that is in progress:

              oshoval@redhat.com Or Shoval
              mduarted@redhat.com Miguel Duarte de Mora Barroso
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: