Networking with IPv6

Note: Networking with IPv6 has only been tested on Beryllium, and requires support in the tenant data center, as well as in the access network.

Although many networks are prepared for IPv6, it is still not the default operational mode and configuring a network based on IPv6 therefore requires a somewhat special approach. For basic concepts, see


Firstly, the network connecting the client to the cloud needs to have IPv6 connectivity. Network support can easily be found by opening in a web browser. Another simple test is to ping an IPv6 host, like, by the command

ping -6

Create network and subnet

In principle, IPv6 is easy to configure since it does not need or support SNAT. To set up an IPv6 network, the user needs to have an IPv6 address range.

A network and subnet need to be created like for IPv4, but with the IPv6 address range in CIDR format, which determines the address allocation pool. In the Beryllium release, there are no logical routers. In Contrail, the subnet is connected directly to the Internet VRF, and the gateway is provided (and its address assigned) by Contrail.

Under Networks, click Create Network to open the configuration form. Enter network name, subnet name, network address range in CIDR format and IP version (Figure 1).

Figure 1. Configuration of IPv6 address range.

Under Subnet Details, the IPv6 Address Configuration Mode is typically set to DHCPv6 (stateless or stateful). The DNS Name Servers can for example be set to Google DNS IPv6 addresses 2001:4860:4860::8888 and 2001:4860:4860::8844 (Figure 2).

Figure 2. Configuration of DHCPv6 and DNS6.

Configure security groups

The security group templates in Horizon do not contain any predefined traffic types for IPv6. Just like for IPv4, all types of egress traffic is allowed by default, but to be able to ping an instance over IPv6, ingress ICMP6 needs to be enabled. This is done by selecting “Other Protocol” under Add Rule to a chosen security group. The Direction is set to “Ingress” and IP Protocol to 58 - the protocol number for ICMP6. Finally, the CIDR is set to all IPv6 addresses, that is ::/0 (Figure 3).

Figure 3. Security group settings for ICMP6.

Similarly, ingress SSH over IPv6 needs to be enabled to be able to establish a secure communication to the instance. A straightforward work-around is to allow all ingress types of TCP over IPv6. To do this, we can from the Add Rule form simply choose “All TCP”, set Direction to “Ingress” and CIDR to ::/0 (Figure 4).

Figure 4. Security group settings for SSH over IPv6.

After adding these rules to a security group (with egress IPv4 traffic removed), it looks like in Figure 5.

Figure 5. Security group for basic IPv6 access.

Access an instance

After creating the network and configuring the security groups, it should be possible to ping an instance with the network associated over IPv6 by

ping -6 <IPv6 address>

(or even omitting the -6 flag) as shown in Figure 6.

Figure 6. Pinging an instance over IPv6.

Please not that IPv6 needs to be supported from the client to the cloud, end-to-end. Connection over SSH using IPv6 is set up with

ssh <username>@<IPv6 address>