IPv6 fragmentation/mtu issue on IceHouse/Ubuntu 14.04
I am seeing a strange IPv6 fragmentation issue which I am not sure if it is Openstack/Neutron issue or base kernel issue. Doing ping6 from external network toward Openstack VM.
ping6 -s 1600 XXXX:0:60:102a:f816:3eff:fe56:6033
Incoming fragmented IPv6 packet reaches "qvb" interface as shown by tcpdump below:
16:17:20.050062 IP6 XXXX:0:60:1034:250:56ff:fe9d:b80 > XXXX:0:60:102a:f816:3eff:fe56:6033: frag (0|1448) ICMP6, echo request, seq 4837, length 1448 16:17:20.050065 IP6 XXXX:0:60:1034:250:56ff:fe9d:b80 > XXXX:0:60:102a:f816:3eff:fe56:6033: frag (1448|160)
But, it appears that packet gets reassembled into a large packet inside "qbr" interface as shown by tcpdump below:
16:19:39.090039 IP6 XXXX:0:60:1034:250:56ff:fe9d:b80 > XXXX:0:60:102a:f816:3eff:fe56:6033: ICMP6, echo request, seq 4976, length 1608
Then, that same packet cannot be seen entering the "tap" interface.
It should not be getting lost in security rules since "all icmpv6" rule counter for the incoming chain keeps going up.
ip6tables -L neutron-openvswi-i240cac09-e -v -n
53 25776 RETURN icmpv6 * * ::/0 ::/0
One more bit of information. By setting net.bridge.bridge-nf-call-ip6tables=0 the fragmentation issue goes away. The packets are correctly sent through the qbr bridge fragmented and can enter the tap interface. This proves that packet re-assembly took place in net-filter/iptables. However, by setting "bridge-nf-call-ip6tables" to 0, all Openstack ip6table security rules are disabled.