cni: enable IPv6 on L2 pod interfaces with v6 address#874
Open
cni: enable IPv6 on L2 pod interfaces with v6 address#874
Conversation
Enable IPv6 on pod interfaces when a pod is IPv6 enabled. This ensures a link‑local address exists for NS. VPP change "ip-neighbor: do not use sas to determine NS source address" makes NS always use the interface’s link‑local address. Calico VPP pod interfaces are unnumbered and never had IPv6 explicitly enabled, so no link‑local address existed on the pod interface. This breaks IPv6 neighbor resolution and traffic. Signed-off-by: Aritra Basu <aritrbas@cisco.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Enable IPv6 on L2 pod interfaces when a pod has IPv6, ensuring a link‑local address exists for neighbor discovery.
RCA
VPP change
ip-neighbor: do not use sas to determine NS source addressmakes NS always use the interface’s link‑local address. Calico VPP pod interfaces are unnumbered and never had IPv6 explicitly enabled, so no link‑local address existed on the pod interface. This breaks IPv6 neighbor resolution and traffic.The old
fib_sas6_get()in VPP worked because it usedadj_glean_get_src()which finds source addresses from connected prefixes.ip6_get_link_local_address()in VPP now requiresip6_link_is_enabled()to return true. For that, the interface must have hadip6_link_enable()called, which sets up a link-local address. CalicoVPP pod interfaces did not have this, so NS failed withIP6_NEIGHBOR_ERROR_NO_SOURCE_ADDRESS.Fix
When a pod has IPv6, call
EnableInterfaceIP6on the pod interface after admin‑up. This creates the link‑local address on the pod interface, so NS has a valid source address.We need to do this for only L2 pod interfaces (where ND works). L3 pod interfaces do not have an Ethernet link to resolve. Enabling IPv6 on L3 pod interfaces triggers VPP to program multicast MACs on a non‑Ethernet interface via
ip6_mfib_interface_enable_disable → vnet_hw_interface_add_del_mac_address, which fails because secondary MACs are not supported for those interface types.