[lvs-users] LVS-TUN IPv6 questions

Zenon Mousmoulas zmousm at noc.grnet.gr
Mon Oct 6 00:20:15 BST 2014


I am trying to setup a simple, dual-stack LVS-TUN cluster and I've 
stumbled on the IPv6 setup of the realserver. I did get it to work after 
all, but I still wonder whether I've got it totally wrong.

All systems are Debian Wheezy based with Linux 3.2.0, ipvsadm v1.26.

This is my working configuration:

# director
ip addr add scope global dev eth0
ip -6 addr add 2001:648:2ffc:106::85/128 scope global dev eth0 
preferred_lft 0
ipvsadm -R <<EOF
-A -t -s rr
-a -t -r -i -w 1
-A -t [2001:648:2ffc:106::85]:80 -s rr
-a -t [2001:648:2ffc:106::85]:80 -r [2001:648:2ffc:100::213]:80 -i -w 1

# realserver
ip ip addr add dev tunl0 brd
ip link set dev tunl0 up
ip -6 tunnel add lvs6tun0 mode ip6ip6 local 2001:648:2ffc:100::213 
remote 2001:648:2ffc:106::78 dev eth0
ip link set dev lvs6tun0 up
ip -6 addr add 2001:648:2ffc:106::85 dev lvs6tun0

At first I tried to setup the ipv6 tunnel interface following the 
guidelines for ipv4. I could not use tunl0 since the encapsulation is 
different (ip6ip6):

ip -6 addr add dev ip6tnl0 2001:648:2ffc:106::85/128 scope global
ip link set dev ip6tnl0 up

This didn't work; no traffic on ip6tnl0 and I noticed the realserver was 
sending icmp6 parameter problem back to the director.

Then I tried to get the director to use 6-in-4 encapsulation (SIT), 
which perhaps would be easier to setup on the realserver (like IPIP for 

ipvsadm -t [2001:648:2ffc:106::85]:80 -r -i -w 1

This also didn't work; ipvsadm -l shows this:

Prot LocalAddress:Port Scheduler Flags
   -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  [2001:648:2ffc:106::85]:http rr
   -> [c2b1:d2d5:2ffc:106::85]:http Tunnel  1      0          0

This matches the 32 bits of the realserver ipv4 address + the last 96 
bits of the service address.

Finally when I did get to setup the tunnel as in the working 
configuration above, it still didn't work until I set the remote 
endpoint. Not being able to use "remote any" means I have to setup a 
different tunnel for every director.

So I wonder whether it is at all possible to use a setup similar to 
ipv4, without an explicit tunnel setup or at least without specifying a 
remote endpoint. I would rather use iptables rules to limit the 
endpoints (directors) that can send tunneled traffic to the realserver. 
I'm also curious if IPVS can do ipv6-in-ipv4 encapsulation.

Thanks in advance for your insight.

Zenon Mousmoulas

More information about the lvs-users mailing list