1

I'm considering adding a keepalived load balancer to our infrastructure but I have some requirements which seem to be outside the normal configuration.

All our servers have public IP addresses, both IPv4 and IPv6. Some servers only have IPv4 addresses and I can use those behind keepalived and with arp_ignore.

IPv6 doesn't use ARP and I have not been able to find what, if anything needs to be done to support direct routing with IPv6 addresses (or if it is even possible with keepalived).

Anyone have experience with keepalived + IPv6 + Direct routing?

user997904
  • 161
  • 3

1 Answers1

2

keepalived uses Neighbor Discovery. From the 1.2.0 change log:

  • VRRP : Implement IPv6 Neighbour Discovery protocol (NDISC). In IPv6 gratuitous ARP doesnt exist since ARP is IPv4 only. NDISC can provide the same feature by sending so called Unsolicited Neighbour Advertisement.

IPv4 and IPv6 on the same instance doesn't work via VRRP. Separate address families in instances in a sync group, or a virtual_ipaddress_excluded block.

Technically, the VRRP bit isn't IP routing as nodes are neighbors on the subnet; it doesn't go through a gateway. Which makes the direct routing overloaded term unfortunate.

Edit: regarding not making the real backend servers claim the VIP permanently, again this can be via ND. Unfortunately, the RHEL direct routing examples don't cover this for v6. I think you could set net.ipv6.conf.interface.drop_unsolicited_na = 1. If not, you can filter the ICMPv6 messages.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
  • I fail to see how that applies to direct routing in keepalived. In IPv4 I use arptables or sysctl to have the real servers not send out arp messages for the virtual IP address, since the director is the only one that should receive incoming connections. – user997904 May 02 '19 at 10:05
  • Ah, you meant the backend and not the router HA. Again this is ND, ARP isn't a thing for v6. See edit. – John Mahowald May 02 '19 at 13:24