X

Best Practices from Oracle Development's A‑Team

OCI IPv6 Routing and Security

Andrei Stoian
Principal Solutions Architect | A-Team - Cloud Solution Architects

A lot of great features have been introduced to OCI in the latest months. In this blog post, we will discuss the newly added feature, IPv6.

Why IPv6 is so important in a cloud environment? It is very important, our customers can integrate with OCI using IPv6 from the On-Premise perspective and traffic to/from the Internet using IPv6 is also supported.

Key Features

For a full product description, you can consult our public documentation at this link: https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/ipv6.htm

OCI IPv6 Configuration

1. Existing VCN without IPv6 at the creation time

We can enable the IPv6 for a VCN which has not been enabled for this feature at the creation time:

2. Enabling a VCN for IPv6 at the creation time

3. Enabling a VCN subnet for IPv6

You need to specify the last two hex characters from the /64 for the IPv6 CIDR block to be created:

4. IPv6 addresses on the OCI instances

When a VM is launched even if the subnet supports IPv6 it will not be automatically configured with an IPv6 address.

We need to add the IPv6 address to the instance:

After this step, we can use the DHCPv6 to get the IP address:

sudo firewall-cmd --add-service=dhcpv6-client
sudo dhclient -6 ens3

Checking the VMs for the newly configured IPv6 addresses:

5. IPv6 Security

IPv6 ping from Instance 1 to Instance 2 in the same VCN but different subnets:

Instance 1 Egress Security Rule:

Instance 2 Ingress Security Rule:

Traffic testing:

We have something very interesting, the ICMP probes are not working. Why? This is an intentional security list configuration for showing a common mistake when working with IPv6. As we can see, the IP Protocol permitted is ICMP but IPv6 uses ICMPv6. ICMPv6 (https://datatracker.ietf.org/doc/html/rfc4443) is different than ICMP. What we need to do is to change from ICMP to IPv6-ICMP in the security entries and the traffic will start to flow:

6. IPv6 Routing

Ping from Instance 1 a host on the Internet, for example, 2001:4860:4860::8888.

First, we need to create a route entry in the routing table associated with the subnet:

Second, we need to create an egress security entry in the security list associated with the subnet:

Traffic testing:

IPv6 is a truly great IP protocol and the magic part is that it is fully supported on OCI for our customers.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha