core, ipv6: enable optimistic_dad instead of completely disabling Duplicate Address Detection

[flouthoc]

We are disabling duplicate address detection for ipv6 completely which
might not be needed so instead of setting accept_dad to 0 we can
still do optimistic_dad to 1 for required interface.

Some cons of using optimistic_dad

• Might be still slower than disabling DAD.
• Not good support for older kernels since it was added in later
  released of 3.x

Closes: #260

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: flouthoc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [flouthoc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[flouthoc]

Question not sure about this but do we need to enable Router Advertisements ?

[Luap99]

I don't know. I think this was copied from cni.

[flouthoc]

Caution: This is a draft PR and needs to be experimented on before this can be merged. Follow discussion here: #260

[Luap99]

I don't think we need to support such old kernels.

The test failures are exactly the reason why we disabled dad. I guess optimistic dad does not work as hoped.

[flouthoc]

@Luap99 Yeah I think it will be still slow and I am still missing the reason why do we need to enable DAD inside container is it to avoid conflicts for the new device addresses ? But nvm I'll check a few things and if this does not works out I'll close the issue.

[Luap99]

@flouthoc Can you try setting use_optimistic as well.

[sbrivio-rh]

Hi,

@Luap99 Yeah I think it will be still slow and I am still missing the reason why do we need to enable DAD inside container is it to avoid conflicts for the new device addresses ? But nvm I'll check a few things and if this does not works out I'll close the issue.

There are two reasons I suggested optimistic DAD should be used instead of disabling DAD completely:

• if the container's MAC address changes, forced neighbour advertisements are allowed if DAD is enabled, and that will clear/update neighbour caches. See also libnetwork/osl: If Optimistic DAD (RFC 4429) is available, use that instead of moby/moby#42746
• if you have a networking model where NDP crosses the container boundary (I'm not sure netavark supports something like that at the moment, or if it ever will), disabling DAD might lead to a catastrophic collision, albeit in extremely rare cases

I see the netcat test is still failing. I don't think that's because of the delay from optimistic DAD (that's really small, and comparable with address assignment timing), but I can try that out in a simplified scenario with a simple network namespace if it helps.

[flouthoc]

Hi @sbrivio-rh, Thank you so much for the explanation. Sure could you please try to reprod this in a smaller env. That would be great help. Meanwhile I'm also trying to look at this.

Thank you for the help :D

[openshift-merge-robot]

@flouthoc: PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.