modules/nw-multi-network-policy-ipv6-suppport.adoc

// Module included in the following assemblies:
//
// * networking/multiple_networks/configuring-multi-network-policy.adoc

:_mod-docs-content-type: CONCEPT
[id="nw-multi-network-policy-ipv6-support_{context}"]
= Supporting multi-network policies in IPv6 networks

[role="_abstract"]
The ICMPv6 Neighbor Discovery Protocol (NDP) is a set of messages and processes that enable devices to discover and maintain information about neighboring nodes. NDP plays a crucial role in IPv6 networks, facilitating the interaction between devices on the same link.

The Cluster Network Operator (CNO) deploys the iptables implementation of multi-network policy when the `useMultiNetworkPolicy` parameter is set to `true`.

To support multi-network policies in IPv6 networks the Cluster Network Operator deploys the following set of custom rules in every pod affected by a multi-network policy:

[source,yaml]
----
kind: ConfigMap
apiVersion: v1
metadata:
  name: multi-networkpolicy-custom-rules
  namespace: openshift-multus
data:

  custom-v6-rules.txt: |
    # accept NDP
    -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT <1>
    -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT <2>
    # accept RA/RS
    -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT <3>
    -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT <4>
----

where:

`icmpv6-type neighbor-solicitation`:: This rule allows incoming ICMPv6 neighbor solicitation messages, which are part of the neighbor discovery protocol (NDP). These messages help determine the link-layer addresses of neighboring nodes.
`icmpv6-type neighbor-advertisement`:: This rule allows incoming ICMPv6 neighbor advertisement messages, which are part of NDP and provide information about the link-layer address of the sender.
`icmpv6-type router-solicitation`:: This rule permits incoming ICMPv6 router solicitation messages. Hosts use these messages to request router configuration information.
`icmpv6-type router-advertisement`:: This rule allows incoming ICMPv6 router advertisement messages, which give configuration information to hosts.

[NOTE]
====
You cannot edit the predefined rules.
====

The rules collectively enable essential ICMPv6 traffic for correct network functioning, including address resolution and router communication in an IPv6 environment. With these rules in place and a multi-network policy denying traffic, applications are not expected to experience connectivity issues.
TELCODOCS-999 Support MultiNetworkPolicies in IPv6 networks 2024-01-02 14:35:37 +00:00			`// Module included in the following assemblies:`
			`//`
			`// * networking/multiple_networks/configuring-multi-network-policy.adoc`

			`:_mod-docs-content-type: CONCEPT`
			`[id="nw-multi-network-policy-ipv6-support_{context}"]`
			`= Supporting multi-network policies in IPv6 networks`

OSDOCS-16835: Completed the CQA2.0 for Secondary Network Advanced Config, VRF, and Policy 2025-11-19 09:59:45 +00:00			`[role="_abstract"]`
TELCODOCS-999 Support MultiNetworkPolicies in IPv6 networks 2024-01-02 14:35:37 +00:00			`The ICMPv6 Neighbor Discovery Protocol (NDP) is a set of messages and processes that enable devices to discover and maintain information about neighboring nodes. NDP plays a crucial role in IPv6 networks, facilitating the interaction between devices on the same link.`

			The Cluster Network Operator (CNO) deploys the iptables implementation of multi-network policy when the `useMultiNetworkPolicy` parameter is set to `true`.

OSDOCS-16835: Completed the CQA2.0 for Secondary Network Advanced Config, VRF, and Policy 2025-11-19 09:59:45 +00:00			`To support multi-network policies in IPv6 networks the Cluster Network Operator deploys the following set of custom rules in every pod affected by a multi-network policy:`
TELCODOCS-999 Support MultiNetworkPolicies in IPv6 networks 2024-01-02 14:35:37 +00:00
			`[source,yaml]`
			`----`
			`kind: ConfigMap`
			`apiVersion: v1`
			`metadata:`
			`name: multi-networkpolicy-custom-rules`
			`namespace: openshift-multus`
			`data:`

			`custom-v6-rules.txt: \|`
			`# accept NDP`
			`-p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT <1>`
			`-p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT <2>`
			`# accept RA/RS`
			`-p icmpv6 --icmpv6-type router-solicitation -j ACCEPT <3>`
			`-p icmpv6 --icmpv6-type router-advertisement -j ACCEPT <4>`
			`----`

OSDOCS-16835: Completed the CQA2.0 for Secondary Network Advanced Config, VRF, and Policy 2025-11-19 09:59:45 +00:00			`where:`

			`icmpv6-type neighbor-solicitation`:: This rule allows incoming ICMPv6 neighbor solicitation messages, which are part of the neighbor discovery protocol (NDP). These messages help determine the link-layer addresses of neighboring nodes.
			`icmpv6-type neighbor-advertisement`:: This rule allows incoming ICMPv6 neighbor advertisement messages, which are part of NDP and provide information about the link-layer address of the sender.
			`icmpv6-type router-solicitation`:: This rule permits incoming ICMPv6 router solicitation messages. Hosts use these messages to request router configuration information.
			`icmpv6-type router-advertisement`:: This rule allows incoming ICMPv6 router advertisement messages, which give configuration information to hosts.
TELCODOCS-999 Support MultiNetworkPolicies in IPv6 networks 2024-01-02 14:35:37 +00:00
			`[NOTE]`
			`====`
OSDOCS-16835: Completed the CQA2.0 for Secondary Network Advanced Config, VRF, and Policy 2025-11-19 09:59:45 +00:00			`You cannot edit the predefined rules.`
TELCODOCS-999 Support MultiNetworkPolicies in IPv6 networks 2024-01-02 14:35:37 +00:00			`====`

OSDOCS-16835: Completed the CQA2.0 for Secondary Network Advanced Config, VRF, and Policy 2025-11-19 09:59:45 +00:00			`The rules collectively enable essential ICMPv6 traffic for correct network functioning, including address resolution and router communication in an IPv6 environment. With these rules in place and a multi-network policy denying traffic, applications are not expected to experience connectivity issues.`