openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/nw-multi-network-policy-ipv6-suppport.adoc

47 lines
2.4 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * networking/multiple_networks/configuring-multi-network-policy.adoc
:_mod-docs-content-type: CONCEPT
[id="nw-multi-network-policy-ipv6-support_{context}"]
= Supporting multi-network policies in IPv6 networks
[role="_abstract"]
The ICMPv6 Neighbor Discovery Protocol (NDP) is a set of messages and processes that enable devices to discover and maintain information about neighboring nodes. NDP plays a crucial role in IPv6 networks, facilitating the interaction between devices on the same link.
The Cluster Network Operator (CNO) deploys the iptables implementation of multi-network policy when the `useMultiNetworkPolicy` parameter is set to `true`.
To support multi-network policies in IPv6 networks the Cluster Network Operator deploys the following set of custom rules in every pod affected by a multi-network policy:
[source,yaml]
----
kind: ConfigMap
apiVersion: v1
metadata:
name: multi-networkpolicy-custom-rules
namespace: openshift-multus
data:
custom-v6-rules.txt: |
# accept NDP
-p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT <1>
-p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT <2>
# accept RA/RS
-p icmpv6 --icmpv6-type router-solicitation -j ACCEPT <3>
-p icmpv6 --icmpv6-type router-advertisement -j ACCEPT <4>
----
where:
`icmpv6-type neighbor-solicitation`:: This rule allows incoming ICMPv6 neighbor solicitation messages, which are part of the neighbor discovery protocol (NDP). These messages help determine the link-layer addresses of neighboring nodes.
`icmpv6-type neighbor-advertisement`:: This rule allows incoming ICMPv6 neighbor advertisement messages, which are part of NDP and provide information about the link-layer address of the sender.
`icmpv6-type router-solicitation`:: This rule permits incoming ICMPv6 router solicitation messages. Hosts use these messages to request router configuration information.
`icmpv6-type router-advertisement`:: This rule allows incoming ICMPv6 router advertisement messages, which give configuration information to hosts.
[NOTE]
====
You cannot edit the predefined rules.
====
The rules collectively enable essential ICMPv6 traffic for correct network functioning, including address resolution and router communication in an IPv6 environment. With these rules in place and a multi-network policy denying traffic, applications are not expected to experience connectivity issues.
View Git Blame Copy Permalink