[v3.29] force IPv6 uplink AddInterfaceAddress mask#925
Merged
sknat merged 1 commit intorelease/v3.29.0from Feb 27, 2026
Merged
Conversation
On some deployments, uplink IPv6 addresses can be programmed in VPP with host prefixes (`/128`) which means there is no connected subnet on the interface. Neighbor discovery can still learn MAC/IP entries, but VPP may create host/adj-fib behavior that effectively treats off-subnet neighbors as attached, causing forwarding to become `UNRESOLVED` for certain peers and intermittently override expected default-route forwarding. The failure is intermittent because it is timing-dependent: whether VPP learns the neighbor (via NDP) before or after the default route is installed, and on neighbor aging/re-learning cycles. Introduced CALICOVPP_DEBUG.uplinkSubnetMask (default: 64) to force all IPv6 uplink interface AddInterfaceAddress calls in vpp-manager to use this mask, regardless of the source netmask from Linux interface. This keeps neighbor/MAC learning behavior while ensuring uplink IPv6 addresses are installed with a connected-prefix mask that avoids host-prefix adjacency edge cases. Signed-off-by: Aritra Basu <aritrbas@cisco.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
RCA:
On some deployments, uplink IPv6 addresses can be programmed in VPP with host prefixes (
/128) which means there is no connected subnet on the interface. Neighbor discovery can still learn MAC/IP entries, but VPP may create host/adj-fib behavior that effectively treats off-subnet neighbors as attached, causing forwarding to becomeUNRESOLVEDfor certain peers and intermittently override expected default-route forwarding.The failure is intermittent because it is timing-dependent: whether VPP learns the neighbor (via NDP) before or after the default route is installed, and on neighbor aging/re-learning cycles.
Fix:
When configuring IPv6 addresses on the VPP uplink interface via
AddInterfaceAddress, override the Linux-sourced netmask with a configurable value (default/64). This creates a connected/64prefix on the uplink, so that:The mask override is controlled by a new debug config field
uplinkSubnetMask(default: 64, range: [1, 128]) in theCALICOVPP_DEBUGConfigMap.