Windows-Containers icon indicating copy to clipboard operation
Windows-Containers copied to clipboard
verified publisher icon microsoft

Add IPv6 support to network drivers

Open akerouanton opened this issue 1 year ago • 11 comments

Hi,

moby / libnetwork maintainer here.

As the OMB memorandum M-21-07 will come into force in Sep. 2025, we started working on IPv6 improvements for Linux containers and we’ll need to add IPv6 support to Windows containers before that deadline. Since the API documentation for HNS doesn’t mention IPv6 limitations, I started playing with the API to see what roadblockers I could find.

I’m opening this ticket to document what I found and make feature requests. All the docker commands below are run against this branch: https://github.com/moby/moby/pull/48285.

So far, I only tested the nat driver, but we’ll need similar improvements for other drivers.

Here’s a TL;DR list of Feature Requests:

  • Dynamic IPv6 subnet allocations
  • Automatically add IPv6 address to containers’ adapters
  • Automatically add the required firewall policies to get outbound connectivity
  • Add a parameter to HNSNetwork to disable IPv4 (make networks IPv6-only)

Create an IPv6 network

So far, I’m able to create a network with static IPv6 subnet, but unlike IPv4, HNS won’t dynamically allocate IPv6 subnets:

# Doesn't work:
> docker network create -d nat --ipv6 testnet-ipv6
Error response from daemon: failed during hnsCallRawResponse: hnsCall failed in Win32: Element not found. (0x490)

# Works properly
> docker network create -d nat --ipv6 --subnet fdf7:50::/64 testnet-ipv6

Run a container attached to an IPv6 network

Container's IP address isn't automatically added to its interface:

# Create a container attached to that network
> docker run --rm -it --name=c0 --network=testnet-ipv6 mcr.microsoft.com/windows/servercore:ltsc2022 powershell
> docker inspect c0

# From the container's terminal:
> Get-NetIPConfiguration
InterfaceAlias       : Ethernet
InterfaceIndex       : 4
InterfaceDescription : Microsoft Hyper-V Network Adapter
IPv4Address          : 172.24.22.190
IPv6DefaultGateway   :
IPv4DefaultGateway   : 172.24.16.1
DNSServer            : 172.24.16.1
                       192.168.1.254

> New-NetIPAddress -InterfaceIndex 4 -IPAddress fdf7:50::14 -PrefixLength 64 -DefaultGateway fdf7:50::1
> Get-NetIPAddress -AddressFamily IPv6 | Foreach IPAddress
fe80::9be4:d1d6:192f:9941%4
fdf7:50::14

Ping the host from the container (and vice-versa)

Pinging the host from the container doesn't work (although the reverse does). It seems there's a missing firewall policy to allow outbound connectivity:

# From the container, ping the host:
$ ping -n 1 -6 fdf7:50::1

Pinging fdf7:50::1 with 32 bytes of data:
Request timed out.

Ping statistics for fdf7:50::1:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

# Can't ping the host, but NDP seems to work correctly
$ Get-NetNeighbor | findstr "fdf7:50::1"
4       fdf7:50::1                                         00-15-5D-F4-11-23     Reachable   ActiveStore

# From the host, ping the container:
$ ping -n 1 -6 fdf7:50::14

Pinging fdf7:50::14 with 32 bytes of data:
Reply from fdf7:50::14: time<1ms

Ping statistics for fdf7:50::14:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

And taking a look with pktmon:

[04]0000.0000::2024-08-02 08:26:51.926095500 [Microsoft-Windows-PktMon] Drop: PktGroupId 1125899906842625, PktNumber 1, Appearance 16, Direction Rx , Type IP , Component 187, Filter 1, DropReason ICMP: inspection drop , DropLocation 0xE00041C7, OriginalSize 80, LoggedSize 80 
	Drop: ip: fdf7:50::1 > fdf7:50::14: ICMP6, echo request, seq 11, length 40
[04]0000.0000::2024-08-02 08:26:51.926099700 [Microsoft-Windows-PktMon] Duplicate Drop: PktGroupId 1125899906842625, PktNumber 1, Appearance 17, Direction Rx , Type IP , Component 187, Filter 1, DropReason INET: transport endpoint was not found , DropLocation 0xE0004704, OriginalSize 80, LoggedSize 80 
	Duplicate Drop: ip: fdf7:50::14 > fdf7:50::1: ICMP6, echo request, seq 11, length 40
[04]0000.0000::2024-08-02 08:26:51.926102500 [Microsoft-Windows-PktMon] Duplicate Drop: PktGroupId 1125899906842625, PktNumber 1, Appearance 18, Direction Rx , Type IP , Component 187, Filter 1, DropReason Inspection drop , DropLocation 0xE0004134, OriginalSize 80, LoggedSize 80 
	Duplicate Drop: ip: fdf7:50::14 > fdf7:50::1: ICMP6, echo request, seq 11, length 40

...

[05]48E0.8ACC::2024-08-02 08:26:57.026926700 [Microsoft-Windows-PktMon] Component 187, Type 11, Name tcpip.sys, TCP/IPv6 - L3/L4 
[05]48E0.8ACC::2024-08-02 08:26:57.026927300 [Microsoft-Windows-PktMon] Property: Component 187, IP Address  = fe80::e232:bea9:7bb6:84a5 
[05]48E0.8ACC::2024-08-02 08:26:57.026927600 [Microsoft-Windows-PktMon] Property: Component 187, IP Address  = fdf7:50::1 
[05]48E0.8ACC::2024-08-02 08:26:57.026928000 [Microsoft-Windows-PktMon] Property: Component 187, Compartment ID  = 1 
[05]48E0.8ACC::2024-08-02 08:26:57.026928600 [Microsoft-Windows-PktMon] Property: Component 187, IpIfIndex  = 72

akerouanton avatar Aug 05 '24 15:08 akerouanton

@akarshm can you take a look at this feature request?

ntrappe-msft avatar Aug 05 '24 21:08 ntrappe-msft

@grcusanz @adrianm-msft could networking take a look at these asks? We can discuss it in the next Triage call.

ntrappe-msft avatar Aug 06 '24 22:08 ntrappe-msft

@akerouanton, which version of Windows was this tested on?

adrianm-msft avatar Aug 15 '24 16:08 adrianm-msft

I'm using Windows 11 Pro and the build number is 22631.3880.

akerouanton avatar Aug 28 '24 22:08 akerouanton

Hi, we'll be able to provide updates for your requests in a few days, once we've met with the product team.

ntrappe-msft avatar Sep 09 '24 17:09 ntrappe-msft

Hi, our current IPv6 support is documented here. As for the feature requests, I can confirm we do have this work in our timeline and have added it to our backlog.

adrianm-msft avatar Nov 06 '24 23:11 adrianm-msft

Still in the future work backlog.

ntrappe-msft avatar Jun 02 '25 21:06 ntrappe-msft

Hi there, Can you please confirm that

  1. ipv6-only support is considered for L2Bridge networking mode as well?
  2. Even HCN(HNSv2) doesn't support ipv6-only as of today?
  3. All the IPv6 networking support listed here in public documentation is dual stack, right?

KlwntSingh avatar Jun 04 '25 18:06 KlwntSingh

@grcusanz will know more than I but I can take a shot at this.

  1. Containers with l2bridge networks support the IPv6 stack.
  2. No, there is no support for IPv6 only, just IPv4.
  3. Yes, it is dual.

ntrappe-msft avatar Jun 04 '25 20:06 ntrappe-msft

@ntrappe-msft Hello! Where can I find documentation about enabling IPv6 support in l2bridge networks? I tried creating it with --ipv6 flag and got message that Windows IPAM does not support this option.

My host machine has native IPv6, interface that is set as l2bridge is in L2 segment with native IPv6 support enabled, but I am only able to create v4 networks; manual IPv6 address assignment in container does not help - no connectivity, even on low-level discovery

D13410N3 avatar Sep 05 '25 17:09 D13410N3

So far, I’m able to create a network with static IPv6 subnet, but unlike IPv4, HNS won’t dynamically allocate IPv6 subnets:

Probably an easy way forward: https://github.com/moby/moby/pull/50427 - with an actually working IPAM in place there is simply no need for HNS to do any form of dynamic allocation. HNS is effectively degraded to do validation of static networks only, as it should be the case with any IPAM.

Container's IP address isn't automatically added to its interface:

Not an issue in HNS, but a missing detail in the moby feature branch: https://github.com/moby/moby/pull/48285/files#r2367064589

Ext3h avatar Sep 22 '25 08:09 Ext3h