Skip to content

force IPv6 uplink AddInterfaceAddress mask#926

Merged
sknat merged 1 commit intomasterfrom
abasu-fix-uplink
Feb 27, 2026
Merged

force IPv6 uplink AddInterfaceAddress mask#926
sknat merged 1 commit intomasterfrom
abasu-fix-uplink

Conversation

@aritrbas
Copy link
Collaborator

@aritrbas aritrbas commented Feb 27, 2026
edited
Loading

RCA:

On some deployments, uplink IPv6 addresses can be programmed in VPP with host prefixes (/128) which means there is no connected subnet on the interface. Neighbor discovery can still learn MAC/IP entries, but VPP may create host/adj-fib behavior that effectively treats off-subnet neighbors as attached, causing forwarding to become UNRESOLVED for certain peers and intermittently override expected default-route forwarding.

The failure is intermittent because it is timing-dependent: whether VPP learns the neighbor (via NDP) before or after the default route is installed, and on neighbor aging/re-learning cycles.

Fix:

When configuring IPv6 addresses on the VPP uplink interface via AddInterfaceAddress, override the Linux-sourced netmask with a configurable value (default /64). This creates a connected /64 prefix on the uplink, so that:

  • Neighbors learned via NDP are within the connected subnet
  • Adj-fib entries resolve correctly against the connected route

The mask override is controlled by a new debug config field uplinkSubnetMask (default: 64, range: [1, 128]) in the
CALICOVPP_DEBUG ConfigMap.

vpp-manager: force IPv6 uplink AddInterfaceAddress mask
713efae 
On some deployments, uplink IPv6 addresses can be programmed in VPP
with host prefixes (`/128`) which means there is no connected subnet
on the interface. Neighbor discovery can still learn MAC/IP entries,
but VPP may create host/adj-fib behavior that effectively treats
off-subnet neighbors as attached, causing forwarding to become
`UNRESOLVED` for certain peers and intermittently override expected
default-route forwarding.

The failure is intermittent because it is timing-dependent: whether
VPP learns the neighbor (via NDP) before or after the default route
is installed, and on neighbor aging/re-learning cycles.

Introduced CALICOVPP_DEBUG.uplinkSubnetMask (default: 64) to force all
IPv6 uplink interface AddInterfaceAddress calls in vpp-manager to use
this mask, regardless of the source netmask from Linux interface.

This keeps neighbor/MAC learning behavior while ensuring uplink IPv6
addresses are installed with a connected-prefix mask that avoids
host-prefix adjacency edge cases.

Signed-off-by: Aritra Basu <aritrbas@cisco.com>
@aritrbas aritrbas self-assigned this Feb 27, 2026
sknat
sknat approved these changes Feb 27, 2026
View reviewed changes
Copy link
Collaborator

@sknat sknat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@sknat sknat merged commit 75b4436 into master Feb 27, 2026
5 checks passed
@sknat sknat deleted the abasu-fix-uplink branch February 27, 2026 08:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sknat sknat sknat approved these changes

Assignees

@aritrbas aritrbas

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aritrbas @sknat