IPv6Configuration.md

IPv6 support in IoT Edge (Linux only)

IoT Edge can be configured to work on Linux devices that are on IPv6 networks. On Linux devices, a user-defined network named 'azure-iot-edge' is created by iotedged. All modules, including Edge Agent and Edge Hub, are deployed to this network.

To learn more about IoT Edge networking, please refer to the networking documentation.

Device specific configuration

Firstly, to configure docker to create container networks with IPv4/IPv6 dual-stack enabled, the following changes are required on the device (see the Docker IPv6 documentation for further guidance):

Configure docker for IPv4/IPv6 dual-stack support

IPv4/IPv6 dual stack support can be enabled on docker using either of the following options:

1. Edit the /etc/docker/daemon.json file to include IPv6 configuration

{
  "ipv6": true,
  "fixed-cidr-v6": "2021:ffff:e0:3b1:0::/80",
  "dns": ["2021:ffff:0:4:fe::6464","10.55.40.50"] // This is optional
}

2. Use dockerd CLI

dockerd --ipv6 --fixed-cidr-v6 "2021:ffff:e0:3b1:0::/80" --dns ["2021:ffff:0:4:fe::6464","10.55.40.50"]

The value of fixed-cidr-v6 defines the subnet for the docker0 bridge network that gets created on the device. This subnet can be obtained from your IaaS provider.

Configure the public network interface

As per the docker IPv6 documentation:

• IPv6 forwarding may interfere with your existing IPv6 configuration. If you are using Router Advertisements to get IPv6 settings for your host's interfaces, set accept_ra to 2. Otherwise IPv6 enabled forwarding will result in rejecting router advertisements. To enable router advertisements, execute the following command:

sysctl -w net.ipv6.conf.eth0.accept_ra=2

• If your Docker host is the only part of an IPv6 subnet but does not have an IPv6 subnet assigned, you can use NDP proxying to connect your modules to the internet via IPv6. To enable NDP proxying, execute the following command:

sysctl -w net.ipv6.conf.eth0.proxy_ndp=1

The change made using the commands above don't persist after system restart, consider editing the /etc/sysctl.conf file instead to make these changes persist.

Please restart the docker service for the changes made above to take effect:

systemctl restart docker

Configure modules as neighbors by adding them to the neighbor proxy table

This can be achieved by either of the following two methods:

1. Adding the route of each container/module manually

   ip -6 neigh add proxy <Container/Module IPv6 address> dev <interface such as 'eth0'>

2. Configuring NDP Proxying daemon ndppd (Recommended)

   • To install ndppd run the following commands on your device:

     sudo apt-get update
     sudo apt-get install ndppd

   • Create /etc/ndppd.conf:

     route-ttl 5000
     proxy eth0 {
       router yes
       timeout 500
       ttl 30000
       # This is the rule for the default docker 'bridge' network.
       rule 2021:ffff:e0:3b1:0::/80 {
         auto
       }
       # This is the rule for the 'azure-iot-edge' network.
       rule 2021:ffff:e0:3b1:1::/80 {
         auto
       }
     }
     

   • Restart the ndppd service

     systemctl restart ndppd

Sample scripts

All the steps performed above can be automated using the Configure docker IPv6 and ndppd installation sample scripts.

The ndppd installation script installs and configures the NDP proxying daemon on the device. The script takes the following parameters:

• DOCKER0_BRIDGE_SUBNET: The ipv6 subnet for the docker0 bridge network.

• IOT_EDGE_SUBNET: The ipv6 subnet for the azure-iot-edge network.

• NETWORK_INTERFACE: The public network interface of the device.

Sample usage:

sudo chmod +x ./installNdppd.sh
sudo ./installNdppd.sh "2021:ffff:e0:3b1:0::/80" "2021:ffff:e0:3b1:1::/80" eth0

The Configure docker IPv6 script configures docker for IPv4/IPv6 dual-stack support, enables router advertisements and NDP proxying on the specified public network interface by editing the /etc/sysctl.conf file and also executes the ndppd installation script. The script takes the following parameters:

• DOCKER0_BRIDGE_SUBNET: The ipv6 subnet for the docker0 bridge network.

• IOT_EDGE_SUBNET: The ipv6 subnet for the azure-iot-edge network.

• NETWORK_INTERFACE: The public network interface of the device.

Sample usage:

sudo chmod +x ./configureDockerIPv6.sh
sudo ./configureDockerIPv6.sh "2021:ffff:e0:3b1:0::/80" "2021:ffff:e0:3b1:1::/80" eth0

IoT Edge configuration

• Specify the IPv6 network configuration for the azure-iot-edge network in the config.yaml file of IoT Edge. The subnet defined for this network needs to be exclusive of the subnet defined in docker's daemon.json file earlier. In other words, the subnets shouldn’t overlap. The modules in the network will pick up IP addresses from this subnet. The subnet and IP ranges specified in the configuration below should match the ones picked for the azure-iot-edge network while configuring the device earlier. Sample config changes:

  moby_runtime:
    uri: "unix:///var/run/docker.sock"
    network:
      name: "azure-iot-edge"
      ipv6: true
      ipam:
        config:
          - 
              gateway: '2021:ffff:e0:3b1:1::1'
              subnet: '2021:ffff:e0:3b1:1::/80'
              ip_range: '2021:ffff:e0:3b1:1::/80'

  The key changes in the config above are the specification of the ipv6 flag with value 'true' and the IPv6 network configuration for the network itself which includes the subnet, IP range and gateway of the azure-iot-edge container network that will be created (Details for these can be obtained from your IaaS provider)

• Restart the docker service for the changes made above to take effect

  systemctl restart iotedge

IoT Edge will subsequently start up and create the azure-iot-edge network with IPv6 configuration as specified in the config.yaml file. Modules deployed to this network will have IPv6 addresses from within the specified subnet and IP range.

Please note that NDP proxying needs to be set up either manually or using ndppd for the IoT Edge modules to have internet connectivity.