The future of Docker containers

Posted May 17, 2019 15:33 UTC (Fri) by Cyberax (✭ supporter ✭, #52523)
In reply to: The future of Docker containers by zlynx
Parent article: The future of Docker containers

Overlay networks are not going away, you still need them for services to speak with each other securely and without worrying about DDOS from the open Internet.

NATs or statefull firewalls that amount to the same are needed to protect inbound connections.

So nope, IPv6 support for Docker should basically mirror the IPv4. An ability to use delegated prefixes is awesome, but not always needed.

The future of Docker containers

Posted May 17, 2019 21:02 UTC (Fri) by farnz (subscriber, #17727) [Link] (1 responses)

Out of curiosity (I don't work in this area, and my employer's networks team makes IPv6 Just Work for my needs), what do you think of ILA as a mechanism to run an IPv6 overlay network between containers? It looks to me like something that Docker/Kubernetes et al should be able to implement, and it replaces the need for NAT with a need for a /64 for the ILA overlay, plus a /64 for each container host.

The future of Docker containers

Posted May 18, 2019 2:18 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link]

ILA is honestly not that different from the current crop of overlay networks.

The major advantage of ILA over some over methods is that it doesn't use encapsulation and instead rewrites source/destination addresses directly. This avoids issues with PMTU which STILL is not working correctly everywhere (even in a datacenter).

And the disadvantage is that the lower portion of the address basically becomes a client ID, so datacenter tenants won't be able to use the private IPv6 address space or ULAs.

Other than that, it's just yet another way to organize a datacenter-level SDN.