Add IPv6 support to network drivers

[akerouanton]

Hi,

moby / libnetwork maintainer here.

As the OMB memorandum M-21-07 will come into force in Sep. 2025, we started working on IPv6 improvements for Linux containers and we’ll need to add IPv6 support to Windows containers before that deadline. Since the API documentation for HNS doesn’t mention IPv6 limitations, I started playing with the API to see what roadblockers I could find.

I’m opening this ticket to document what I found and make feature requests. All the docker commands below are run against this branch: moby/moby#48285.

So far, I only tested the nat driver, but we’ll need similar improvements for other drivers.

Here’s a TL;DR list of Feature Requests:

• Dynamic IPv6 subnet allocations
• Automatically add IPv6 address to containers’ adapters
• Automatically add the required firewall policies to get outbound connectivity
• Add a parameter to HNSNetwork to disable IPv4 (make networks IPv6-only)

Create an IPv6 network

So far, I’m able to create a network with static IPv6 subnet, but unlike IPv4, HNS won’t dynamically allocate IPv6 subnets:

# Doesn't work:
> docker network create -d nat --ipv6 testnet-ipv6
Error response from daemon: failed during hnsCallRawResponse: hnsCall failed in Win32: Element not found. (0x490)

# Works properly
> docker network create -d nat --ipv6 --subnet fdf7:50::/64 testnet-ipv6

Run a container attached to an IPv6 network

Container's IP address isn't automatically added to its interface:

# Create a container attached to that network
> docker run --rm -it --name=c0 --network=testnet-ipv6 mcr.microsoft.com/windows/servercore:ltsc2022 powershell
> docker inspect c0

# From the container's terminal:
> Get-NetIPConfiguration
InterfaceAlias       : Ethernet
InterfaceIndex       : 4
InterfaceDescription : Microsoft Hyper-V Network Adapter
IPv4Address          : 172.24.22.190
IPv6DefaultGateway   :
IPv4DefaultGateway   : 172.24.16.1
DNSServer            : 172.24.16.1
                       192.168.1.254

> New-NetIPAddress -InterfaceIndex 4 -IPAddress fdf7:50::14 -PrefixLength 64 -DefaultGateway fdf7:50::1
> Get-NetIPAddress -AddressFamily IPv6 | Foreach IPAddress
fe80::9be4:d1d6:192f:9941%4
fdf7:50::14

Ping the host from the container (and vice-versa)

Pinging the host from the container doesn't work (although the reverse does). It seems there's a missing firewall policy to allow outbound connectivity:

# From the container, ping the host:
$ ping -n 1 -6 fdf7:50::1

Pinging fdf7:50::1 with 32 bytes of data:
Request timed out.

Ping statistics for fdf7:50::1:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

# Can't ping the host, but NDP seems to work correctly
$ Get-NetNeighbor | findstr "fdf7:50::1"
4       fdf7:50::1                                         00-15-5D-F4-11-23     Reachable   ActiveStore

# From the host, ping the container:
$ ping -n 1 -6 fdf7:50::14

Pinging fdf7:50::14 with 32 bytes of data:
Reply from fdf7:50::14: time<1ms

Ping statistics for fdf7:50::14:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

And taking a look with pktmon:

[04]0000.0000::2024-08-02 08:26:51.926095500 [Microsoft-Windows-PktMon] Drop: PktGroupId 1125899906842625, PktNumber 1, Appearance 16, Direction Rx , Type IP , Component 187, Filter 1, DropReason ICMP: inspection drop , DropLocation 0xE00041C7, OriginalSize 80, LoggedSize 80 
	Drop: ip: fdf7:50::1 > fdf7:50::14: ICMP6, echo request, seq 11, length 40
[04]0000.0000::2024-08-02 08:26:51.926099700 [Microsoft-Windows-PktMon] Duplicate Drop: PktGroupId 1125899906842625, PktNumber 1, Appearance 17, Direction Rx , Type IP , Component 187, Filter 1, DropReason INET: transport endpoint was not found , DropLocation 0xE0004704, OriginalSize 80, LoggedSize 80 
	Duplicate Drop: ip: fdf7:50::14 > fdf7:50::1: ICMP6, echo request, seq 11, length 40
[04]0000.0000::2024-08-02 08:26:51.926102500 [Microsoft-Windows-PktMon] Duplicate Drop: PktGroupId 1125899906842625, PktNumber 1, Appearance 18, Direction Rx , Type IP , Component 187, Filter 1, DropReason Inspection drop , DropLocation 0xE0004134, OriginalSize 80, LoggedSize 80 
	Duplicate Drop: ip: fdf7:50::14 > fdf7:50::1: ICMP6, echo request, seq 11, length 40

...

[05]48E0.8ACC::2024-08-02 08:26:57.026926700 [Microsoft-Windows-PktMon] Component 187, Type 11, Name tcpip.sys, TCP/IPv6 - L3/L4 
[05]48E0.8ACC::2024-08-02 08:26:57.026927300 [Microsoft-Windows-PktMon] Property: Component 187, IP Address  = fe80::e232:bea9:7bb6:84a5 
[05]48E0.8ACC::2024-08-02 08:26:57.026927600 [Microsoft-Windows-PktMon] Property: Component 187, IP Address  = fdf7:50::1 
[05]48E0.8ACC::2024-08-02 08:26:57.026928000 [Microsoft-Windows-PktMon] Property: Component 187, Compartment ID  = 1 
[05]48E0.8ACC::2024-08-02 08:26:57.026928600 [Microsoft-Windows-PktMon] Property: Component 187, IpIfIndex  = 72 

[ntrappe-msft]

@akarshm can you take a look at this feature request?

[ntrappe-msft]

@grcusanz @adrianm-msft could networking take a look at these asks? We can discuss it in the next Triage call.

[adrianm-msft]

@akerouanton, which version of Windows was this tested on?

[akerouanton]

I'm using Windows 11 Pro and the build number is 22631.3880.

[ntrappe-msft]

Hi, we'll be able to provide updates for your requests in a few days, once we've met with the product team.

[adrianm-msft]

Hi, our current IPv6 support is documented here. As for the feature requests, I can confirm we do have this work in our timeline and have added it to our backlog.