Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1687457 - Neutron doesn't allow the gateway to be the first v6 address
Summary: Neutron doesn't allow the gateway to be the first v6 address
Status: ON_DEV
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Nate Johnston
QA Contact: Roee Agiman
Depends On:
TreeView+ depends on / blocked
Reported: 2019-03-11 14:18 UTC by David Vallee Delisle
Modified: 2019-04-05 23:01 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Launchpad 1682094 None None None 2019-03-11 14:18:44 UTC
OpenStack gerrit 647484 None None None 2019-03-25 14:31:29 UTC

Description David Vallee Delisle 2019-03-11 14:18:45 UTC
Description of problem:
It seems to be checking with rules [1] that make sense for IPv4 but not necessarily v6.

We've found this bug upstream that was closed [2].

The client treats it like any other unicast address
The benefit is the routers could have any address (like eui-64) assigned but they'll still listen for <net>::
So you don't have to know the router ip from the client config

Version-Release number of selected component (if applicable):

How reproducible:
All the time

Steps to Reproduce:
1. Create external subnet using the first address as unicast

Actual results:
openstack --debug  subnet create external-subnet --ip-version 6 --subnet-range abc:def:162:221::/64 --gateway abc:def:162:221:0:0:0:0 --network external

RESP BODY: {"NeutronError": {"message": "Invalid input for operation: Gateway is not valid on subnet.", "type": "InvalidInput", "detail": ""}}

Expected results:
It should work

Additional info:

[1] neutron/ipam/
def check_gateway_invalid_in_subnet(cidr, gateway):
    """Check whether the gw IP address is invalid on the subnet."""
    ip = netaddr.IPAddress(gateway)
    net = netaddr.IPNetwork(cidr)
    # Check whether the gw IP is in-valid on subnet.
    # If gateway is in the subnet, it cannot be the
    # 'network' or the 'broadcast address (only in IPv4)'.
    # If gateway is out of subnet, there is no way to
    # check since we don't have gateway's subnet cidr.
    return (ip in net and
            (ip == or
             (net.version == constants.IP_VERSION_4 and ip == net[-1])))


Comment 1 David Vallee Delisle 2019-03-11 14:22:02 UTC
When looking at the RFC [1], there's no mention that this can't be the gateway address.


Comment 2 Mircea Vutcovici 2019-03-21 13:12:38 UTC
As mentioned by DVD, the anycast address is used for router redundancy. It is predefined, this means that it should be considered as a valid value for neutron. However neutron validation code is based on legacy IPv4 and applied to IPv6 too. The validation code in Neutron fails to consider the address as a valid IPv6 destination address.

I am adding the excerpt from RFC4291:

   The Subnet-Router anycast address is predefined.  Its format is as
   |                         n bits                 |   128-n bits   |
   |                   subnet prefix                | 00000000000000 |

   The "subnet prefix" in an anycast address is the prefix that
   identifies a specific link.  This anycast address is syntactically
   the same as a unicast address for an interface on the link with the
   interface identifier set to zero.

   Packets sent to the Subnet-Router anycast address will be delivered
   to one router on the subnet.  All routers are required to support the
   Subnet-Router anycast addresses for the subnets to which they have

   The Subnet-Router anycast address is intended to be used for
   applications where a node needs to communicate with any one of the
   set of routers.

Comment 3 Nate Johnston 2019-03-25 14:31:30 UTC
Filed upstream change to fix this in master.

Comment 4 Nate Johnston 2019-04-01 20:49:04 UTC
I have marked the change as blocked for now upstream:

The reason for this is that while the first address is a valid address, that doesn't mean we should give it out to just anyone.  Since the first address is specific to anycast-router we should also modify Neutron IPAM to ensure that only routers get the first address.  This is a deeper code change, and is not as obvious as one might assume.  I plan on discussing with the Neutron development community in the PTG meeting in early May in Denver.  This change will be held in abeyance until that issue is resolved.

Note: Changed priority and severity to match the customer case.

Note You need to log in before you can comment on or make changes to this bug.