Re: [ovs-discuss] only windows 2012 can not get ipv6 address by dhcpv6

Wed, 20 Sep 2023 08:24:33 -0700 

Hi Brain (?),

On 9/20/23 1:56 AM, Ales Musil via discuss wrote:




On Tue, Sep 19, 2023 at 9:02 PM Brain Empty via discuss 
<ovs-discuss@openvswitch.org <mailto:ovs-discuss@openvswitch.org>> wrote:


    Hi, I got stuck into a problem. maybe there is something wrong with
    ovs|ovn acl.

    If I enable the port security group, Linux could get its ipv6
    address by dhcpv6, but Windows 2012 can not.


    If I disable the port security group, Linux and the windows 2012 
    both could get the ipv6 address.


    after i compared the dhcpv6 packets with with wireshark, I found
    that Windows dhcpv6 payload length is 99, Linux dhcpv6 payload
    length is 64.

    the windows only have the `solicit` packet, no reply

    image.png

    The Linux is ok

    image.png
    the first `solicit` packet is show in the image, the left is windows
    2012, the right is linux.


    image.png


    Thanks for your help

    _______________________________________________
    discuss mailing list
    disc...@openvswitch.org <mailto:disc...@openvswitch.org>
    https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
    <https://mail.openvswitch.org/mailman/listinfo/ovs-discuss>


Hi Brian,



please try to avoid sharing images next time as it might not work 
properly for some clients.



To me it seems like the windows machine is generating link-local 
addresses in an "unexpected" way. The link local address generated by 
the standard EUI-64 from the Windows MAC is "fe80::200:00ff:fe0c:f24b". 
I don't have enough knowledge about Windows however it seems that the 
link-local address is completely random. Possible solutions are:


1)  Disable the port security as you have stated already.
2) Add the random link-local address into port security.

3) Configure Windows to generate EUI-64 format (not sure if that's 
possible).
4) Update OVN to check if the IP is link-local only and not the specific 
EUI-64 address.



I'm not sure if patch for OVN is the right way as that would in theory 
allow any traffic with source fe80::/10 to go through port security.



I would take a closer look at Ales' suggestion #3 above. In the 
Openstack docs for IPv6 we explicitly mention how IPv6 privacy 
extensions and/or address generation modes can affect guest connectivity:


https://docs.openstack.org/neutron/latest/admin/config-ipv6.html#configuring-interfaces-of-the-guest


It's something we see with both Linux and Windows guests all the time, 
and isn't Openstack-specific.


-Brian
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss














    











					Reply via email to