|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * networking/multiple_networks/configuring-multi-network-policy.adoc |
| 4 | + |
| 5 | +:_mod-docs-content-type: CONCEPT |
| 6 | +[id="nw-multi-network-policy-ipv6-support_{context}"] |
| 7 | += Supporting multi-network policies in IPv6 networks |
| 8 | + |
| 9 | +The ICMPv6 Neighbor Discovery Protocol (NDP) is a set of messages and processes that enable devices to discover and maintain information about neighboring nodes. NDP plays a crucial role in IPv6 networks, facilitating the interaction between devices on the same link. |
| 10 | + |
| 11 | +The Cluster Network Operator (CNO) deploys the iptables implementation of multi-network policy when the `useMultiNetworkPolicy` parameter is set to `true`. |
| 12 | + |
| 13 | +To support multi-network policies in IPv6 networks the Cluster Network Operator deploys the following set of rules in every pod affected by a multi-network policy: |
| 14 | + |
| 15 | +.Multi-network policy custom rules |
| 16 | + |
| 17 | +[source,yaml] |
| 18 | +---- |
| 19 | +kind: ConfigMap |
| 20 | +apiVersion: v1 |
| 21 | +metadata: |
| 22 | + name: multi-networkpolicy-custom-rules |
| 23 | + namespace: openshift-multus |
| 24 | +data: |
| 25 | +
|
| 26 | + custom-v6-rules.txt: | |
| 27 | + # accept NDP |
| 28 | + -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT <1> |
| 29 | + -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT <2> |
| 30 | + # accept RA/RS |
| 31 | + -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT <3> |
| 32 | + -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT <4> |
| 33 | +---- |
| 34 | + |
| 35 | +<1> This rule allows incoming ICMPv6 neighbor solicitation messages, which are part of the neighbor discovery protocol (NDP). These messages help determine the link-layer addresses of neighboring nodes. |
| 36 | +<2> This rule allows incoming ICMPv6 neighbor advertisement messages, which are part of NDP and provide information about the link-layer address of the sender. |
| 37 | +<3> This rule permits incoming ICMPv6 router solicitation messages. Hosts use these messages to request router configuration information. |
| 38 | +<4> This rule allows incoming ICMPv6 router advertisement messages, which give configuration information to hosts. |
| 39 | + |
| 40 | +[NOTE] |
| 41 | +==== |
| 42 | +You cannot edit these predefined rules. |
| 43 | +==== |
| 44 | + |
| 45 | +These rules collectively enable essential ICMPv6 traffic for correct network functioning, including address resolution and router communication in an IPv6 environment. With these rules in place and a multi-network policy denying traffic, applications are not expected to experience connectivity issues. |
0 commit comments