Cannot ping ipv6 from remote container

[bamb00]

I have a setup running Calico IPV6 enabled in Kubernetes v1.9.5 running docker 1.13.1-cs9. I'm not able to ping the remote container using ipv6 address. I can ping ipv6 address locally. Do you know what's needed to be resolve to be able to ping the remote container?

What is the best way to verify ipv6 traffic is coming into the container?

---

# kubectl get po -n kube-system
NAME                                                                  READY     STATUS    RESTARTS   AGE
calico-etcd-jg2vr                                                     1/1       Running   0          5h
calico-kube-controllers-866bf5646c-pplzf                              1/1       Running   0          5h
calico-node-kz2sk                                                     2/2       Running   0          5h
etcd-devtricorder0A-master-01                                         1/1       Running   0          5h
kube-apiserver-devtricorder0A-master-01                               1/1       Running   0          5h
kube-controller-manager-devtricorder0A-master-01                      1/1       Running   0          5h
kube-dns-6f4fd4bdf-zdwkz                                              3/3       Running   0          5h
kube-proxy-q9xg5                                                      1/1       Running   0          5h
kube-scheduler-devtricorder0A-master-01                               1/1       Running   0          5h
kubernetes-dashboard-68d7c968ff-nj2m7                                 1/1       Running   0          5h

---

From Container B: Pinging remote container

# ping6 fe80::e471:21ff:fef0:b88d
PING fe80::e471:21ff:fef0:b88d (fe80::e471:21ff:fef0:b88d): 56 data bytes
64 bytes from fe80::482b:91ff:fe64:de2b%eth0: Destination unreachable: Address unreachable
64 bytes from fe80::482b:91ff:fe64:de2b%eth0: Destination unreachable: Address unreachable
64 bytes from fe80::482b:91ff:fe64:de2b%eth0: Destination unreachable: Address unreachable
64 bytes from fe80::482b:91ff:fe64:de2b%eth0: Destination unreachable: Address unreachable
64 bytes from fe80::482b:91ff:fe64:de2b%eth0: Destination unreachable: Address unreachable
64 bytes from fe80::482b:91ff:fe64:de2b%eth0: Destination unreachable: Address unreachable

Pinging from locally

# ping6 fe80::482b:91ff:fe64:de2b
PING fe80::482b:91ff:fe64:de2b (fe80::482b:91ff:fe64:de2b): 56 data bytes
64 bytes from fe80::482b:91ff:fe64:de2b%eth0: icmp_seq=0 ttl=64 time=0.057 ms
64 bytes from fe80::482b:91ff:fe64:de2b%eth0: icmp_seq=1 ttl=64 time=0.060 ms
64 bytes from fe80::482b:91ff:fe64:de2b%eth0: icmp_seq=2 ttl=64 time=0.056 ms
64 bytes from fe80::482b:91ff:fe64:de2b%eth0: icmp_seq=3 ttl=64 time=0.059 ms
64 bytes from fe80::482b:91ff:fe64:de2b%eth0: icmp_seq=4 ttl=64 time=0.068 ms
64 bytes from fe80::482b:91ff:fe64:de2b%eth0: icmp_seq=5 ttl=64 time=0.053 ms

---

Container A:

# ip -6 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
4: eth0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1440 state UP
    inet6 fe80::e471:21ff:fef0:b88d/64 scope link
       valid_lft forever preferred_lft forever

# ip -6 route show
fe80::/64 dev eth0  proto kernel  metric 256

---

Container B:

# ip -6 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
4: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1440 state UP
    inet6 fe80::482b:91ff:fe64:de2b/64 scope link
       valid_lft forever preferred_lft forever

# ip -6 route show
fe80::/64 dev eth0  proto kernel  metric 256

[leblancd]

@bamb00:

• Check that each host node (i.e. not the pods) has IPv6 forwarding enabled using 'sysctl net.ipv6.conf.all.forwarding'.
• Check whether each node can ping6 to each other.
• I'm not an expert on Calico IPv6 setup, but this guide mentions that "If you wish to only use IPv6 (by disabling IPv4) or your hosts only have IPv6 addresses, you must disable autodetection of IPv4 by setting IP to none. With that set you must also pass a CALICO_ROUTER_ID to each calico-node pod."
• If everything checks out so far, you can try bringing up a couple of pods with alpine containers, and then install tshark in one or more of those alpine containers with 'apk add tshark'. Once tshark is installed, you would be able to do 'tshark -i eth0' to capture incoming packets on that pod's eth0 interface. You would then try ping6 from the other pod.
• (I haven't tried this on a Calico setup) If you're not seeing incoming pings or neighbor discovery exchanges on the remote pod (I suspect that you won't), you can then try installing tshark (or wireshark, or use tcpdump) on one or more host nodes, and then run tshark on the physical interfaces of each host node while one pod is ping6'ing the other pod, to see how far ping6/nd packets are going.

[leblancd]

@bamb00 - Any luck on the pings?