There are a couple of bugzilla records open requesting IPv6 support on libvirt's virtual networks: https://bugzilla.redhat.com/show_bug.cgi?id=514749 https://bugzilla.redhat.com/show_bug.cgi?id=586124 This is a first cut at describing what that support will look like. Please send any comments/criticisms/suggestions you may have. Changes to network XML ---------------------- 1) The <ip> element of the network xml will be expanded in the following ways: a) <ip> can now appear multiple times (although I think only one of these can/should be allowed to have a <dhcp> element). The bridge interface (eg virbr0) will be configured with all given ips. b) The address attribute can now be either an ipv4 dotted quad, or an ipv6 address, eg "2001:db8:1::10" (the schema will allow either in any case, but the parser will validate that it is appropriate for the given family - see (b)) b) new attributes: family="ipv4|ipv6". Optional. It will default to ipv4 if not specified. prefix="<some number>" Optional. This is used to specify how many significant bits are in the ipv6 address. This will also be usable for ipv4, but the parser will make sure that only one of netmask or prefix is given for an ipv4 address (since netmasks generally aren't specified as such in IPv6, the netmask attribute will not be allowed if family is ipv6). 2) New subelements of <ip> If we want to avoid requiring the admin to login to the hosts to configure radvd for advertising addresses, the ipv6 version of <ip> is going to need radvd config information. The list of options is rather long, and I don't see how we could assume a hardcoded default for any of them, so if we're going to have an <radvd> subelement, it's going to need a *lot* of attributes/subelements of its own: http://linux.die.net/man/5/radvd.conf For this reason, I think we can at least initially *not* include all this config, and not attempt to run radvd ourselves. However, we can't merely ignore radvd, since our bridges don't exist at the time radvd is started by the system, and even if you've put the proper config in the static radvd.conf file, it can't be recognized until the interface exists, and the method of informing radvd that it needs to re-scan the conf file to find new interfaces is to send it a SIGHUP. So, I'm thinking we can add an <radvd/> subelement to IP that, for now, will have no attributes and no subelements. If the ip/radvd subelement exists, libvirt will send radvd a SIGHUP when the network is brought up, and again if it is brought down. Here is the example from formatnetwork.html on libvirt.org, updated with examples of the changes I'm proposing: <network> <ip address="192.168.122.1" netmask="255.255.255.0"> <dhcp> <range start="192.168.122.100" end="192.168.122.254" /> <host mac="00:16:3e:77:e2:ed" name="foo.example.com" ip="192.168.122.10" /> <host mac="00:16:3e:3e:a9:1a" name="bar.example.com" ip="192.168.122.11" /> </dhcp> </ip> <ip family="ipv4" address="192.168.125.1" prefix="24"> <ip family="ipv6" address="2001:db8:1::10" prefix="128"/> <ip family="ipv6" address="2001:4978:2ac::1" prefix="48"> <radvd/> </ip> </network> The original ipv4 address example remains unchanged, but notice that we can also give a 2nd ipv4 address, and can use "prefix" instead of "netmask" if we want. The example configs the bridge with two ipv6 addresses, so guests connected to the bridge can be on either of these networks or both. In addition, radvd will be SIGHUPed when the network is brought up, so if it is configured properly, it will begin giving out addresses on the network via IPv6 autoconf (presumably on the 2001:4978:2ac::/28 network, although that's completely dependent on the radvd config. NB: As previously discussed, we are making the assumptions that 1) nobody will want to use dhcp6 (although it's available, autoconf via radvd is the more accepted method of automatically getting an address). 2) any tftp booting required can be done with the IPv4 facilities already in place (ie, if that is needed, the guests will use both IPv4 and IPv6). Likewise for any other configuration required that isn't covered by ipv6 autoconf. 3) radvd configuration is outside the scope of libvirt, although libvirt can give it a kick now and then. Configuring the IP addresses of the bridge ------------------------------------------ Currently, libvirt uses the SIOCSIFADDR ioctl to set the (single) ipv4 address of the bridge. This ioctl does not support IPv6. In order to configure and IPv6 address (or more than one IPv4 address) we will need to use netlink (ie libnl). Unfortunately, libnl isn't available on all Linux platforms (libvirt's virtual networks are only available on Linux), for example RHEL5 has libnl, but it's an older version that is API-incompatible with the version used by libvirt. libvirt already uses libnl directly for macvtap support, and indirectly for netcf (the iface-* commands), but both of those are conditionally compiled. In order to continue supporting older platforms, all this IPv6 stuff will need to be optional, and conditional on the presence of the right libnl version. If libnl is available, the default will be --with-ipv6, otherwise, the default will be --without-ipv6. Also, src/network/bridge_driver.c:networkDisableIPV6, which tweaks some kernel tunables to disallow adding IPv6 addresses to a bridge, is currently called for all networks' bridges when they are brought up. This will of course now be called only if the network has no IPv6 config. iptables/ip6tables ------------------ The ip6tables rules setup for the bridge will be similar to those we already setup for ipv4. See Bug 586124 for a short script that creates a workable set of rules. "mode=nat" anomoly ------------------ libvirt's virtual networks have three modes: isolated, routed, and nat. If mode=isolated or mode=routed, IPv6 and IPv4 will be handled the same. However, since there is no NAT for IPv6, if you specify mode='nat' on a network, and give it an IPv6 address, the IPv6 traffic will be routed, while IPv4 traffic will be NATed. (Since there is a single mode attribute for the entire network, it will not be possible to specify isolated IPv6 and routed/nat IPv4, or isolated IPv4 and routed IPv6).