diff --git a/builder/builder-next/executor_unix.go b/builder/builder-next/executor_unix.go
index 4aee34cf30..d684b9f6e2 100644
--- a/builder/builder-next/executor_unix.go
+++ b/builder/builder-next/executor_unix.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/docker/docker/daemon/config"
 	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/stringid"
 	"github.com/docker/libnetwork"
 	"github.com/moby/buildkit/executor"
 	"github.com/moby/buildkit/executor/oci"
@@ -100,11 +101,12 @@ func (iface *lnInterface) Set(s *specs.Spec) {
 		logrus.WithError(iface.err).Error("failed to set networking spec")
 		return
 	}
+	shortNetCtlrID := stringid.TruncateID(iface.provider.NetworkController.ID())
 	// attach netns to bridge within the container namespace, using reexec in a prestart hook
 	s.Hooks = &specs.Hooks{
 		Prestart: []specs.Hook{{
 			Path: filepath.Join("/proc", strconv.Itoa(os.Getpid()), "exe"),
-			Args: []string{"libnetwork-setkey", "-exec-root=" + iface.provider.Config().Daemon.ExecRoot, iface.sbx.ContainerID(), iface.provider.NetworkController.ID()},
+			Args: []string{"libnetwork-setkey", "-exec-root=" + iface.provider.Config().Daemon.ExecRoot, iface.sbx.ContainerID(), shortNetCtlrID},
 		}},
 	}
 }
diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
index a3864b9a83..0018c0a649 100644
--- a/daemon/oci_linux.go
+++ b/daemon/oci_linux.go
@@ -20,6 +20,7 @@ import (
 	"github.com/docker/docker/oci/caps"
 	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/mount"
+	"github.com/docker/docker/pkg/stringid"
 	"github.com/docker/docker/rootless/specconv"
 	volumemounts "github.com/docker/docker/volume/mounts"
 	"github.com/opencontainers/runc/libcontainer/apparmor"
@@ -66,13 +67,14 @@ func WithLibnetwork(daemon *Daemon, c *container.Container) coci.SpecOpts {
 		for _, ns := range s.Linux.Namespaces {
 			if ns.Type == "network" && ns.Path == "" && !c.Config.NetworkDisabled {
 				target := filepath.Join("/proc", strconv.Itoa(os.Getpid()), "exe")
+				shortNetCtlrID := stringid.TruncateID(daemon.netController.ID())
 				s.Hooks.Prestart = append(s.Hooks.Prestart, specs.Hook{
 					Path: target,
 					Args: []string{
 						"libnetwork-setkey",
 						"-exec-root=" + daemon.configStore.GetExecRoot(),
 						c.ID,
-						daemon.netController.ID(),
+						shortNetCtlrID,
 					},
 				})
 			}
diff --git a/hack/dockerfile/install/proxy.installer b/hack/dockerfile/install/proxy.installer
index c1bfefd653..bfad1a721e 100755
--- a/hack/dockerfile/install/proxy.installer
+++ b/hack/dockerfile/install/proxy.installer
@@ -3,7 +3,7 @@
 # LIBNETWORK_COMMIT is used to build the docker-userland-proxy binary. When
 # updating the binary version, consider updating github.com/docker/libnetwork
 # in vendor.conf accordingly
-: ${LIBNETWORK_COMMIT:=96bcc0dae898308ed659c5095526788a602f4726}
+: ${LIBNETWORK_COMMIT:=0025177e3dabbe0de151be0957dcaff149d43536}
 
 install_proxy() {
 	case "$1" in
diff --git a/vendor.conf b/vendor.conf
index a467e36079..5a4a90e9f1 100644
--- a/vendor.conf
+++ b/vendor.conf
@@ -38,7 +38,7 @@ github.com/gofrs/flock                              392e7fae8f1b0bdbd67dad7237d2
 # libnetwork
 
 # When updating, also update LIBNETWORK_COMMIT in hack/dockerfile/install/proxy.installer accordingly
-github.com/docker/libnetwork                        96bcc0dae898308ed659c5095526788a602f4726
+github.com/docker/libnetwork                        0025177e3dabbe0de151be0957dcaff149d43536
 github.com/docker/go-events                         9461782956ad83b30282bf90e31fa6a70c255ba9
 github.com/armon/go-radix                           e39d623f12e8e41c7b5529e9a9dd67a1e2261f80
 github.com/armon/go-metrics                         eb0af217e5e9747e41dd5303755356b62d28e3ec
diff --git a/vendor/github.com/docker/libnetwork/drivers/bridge/setup_ipv6.go b/vendor/github.com/docker/libnetwork/drivers/bridge/setup_ipv6.go
index b944be081e..28fa824944 100644
--- a/vendor/github.com/docker/libnetwork/drivers/bridge/setup_ipv6.go
+++ b/vendor/github.com/docker/libnetwork/drivers/bridge/setup_ipv6.go
@@ -70,7 +70,7 @@ func setupBridgeIPv6(config *networkConfiguration, i *bridgeInterface) error {
 		Dst:       config.AddressIPv6,
 	})
 	if err != nil && !os.IsExist(err) {
-		logrus.Errorf("Could not add route to IPv6 network %s via device %s", config.AddressIPv6.String(), config.BridgeName)
+		logrus.Errorf("Could not add route to IPv6 network %s via device %s: %s", config.AddressIPv6.String(), config.BridgeName, err)
 	}
 
 	return nil
diff --git a/vendor/github.com/docker/libnetwork/ipvs/constants.go b/vendor/github.com/docker/libnetwork/ipvs/constants.go
index b6b7f2bb5e..efac4e367c 100644
--- a/vendor/github.com/docker/libnetwork/ipvs/constants.go
+++ b/vendor/github.com/docker/libnetwork/ipvs/constants.go
@@ -144,6 +144,17 @@ const (
 	// a statically assigned hash table by their source IP
 	// addresses.
 	SourceHashing = "sh"
+
+	// WeightedRoundRobin assigns jobs to real servers proportionally
+	// to there real servers' weight. Servers with higher weights
+	// receive new jobs first and get more jobs than servers
+	// with lower weights. Servers with equal weights get
+	// an equal distribution of new jobs
+	WeightedRoundRobin = "wrr"
+
+	// WeightedLeastConnection assigns more jobs to servers
+	// with fewer jobs and relative to the real servers' weight
+	WeightedLeastConnection = "wlc"
 )
 
 const (
diff --git a/vendor/github.com/docker/libnetwork/sandbox_externalkey_unix.go b/vendor/github.com/docker/libnetwork/sandbox_externalkey_unix.go
index 5006583c5b..d0f60deda7 100644
--- a/vendor/github.com/docker/libnetwork/sandbox_externalkey_unix.go
+++ b/vendor/github.com/docker/libnetwork/sandbox_externalkey_unix.go
@@ -12,6 +12,7 @@ import (
 	"os"
 	"path/filepath"
 
+	"github.com/docker/docker/pkg/stringid"
 	"github.com/docker/libnetwork/types"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
@@ -24,7 +25,7 @@ const (
 )
 
 // processSetKeyReexec is a private function that must be called only on an reexec path
-// It expects 3 args { [0] = "libnetwork-setkey", [1] = <container-id>, [2] = <controller-id> }
+// It expects 3 args { [0] = "libnetwork-setkey", [1] = <container-id>, [2] = <short-controller-id> }
 // It also expects specs.State as a json string in <stdin>
 // Refer to https://github.com/opencontainers/runc/pull/160/ for more information
 // The docker exec-root can be specified as "-exec-root" flag. The default value is "/run/docker".
@@ -41,14 +42,14 @@ func processSetKeyReexec() {
 	execRoot := flag.String("exec-root", defaultExecRoot, "docker exec root")
 	flag.Parse()
 
-	// expecting 3 os.Args {[0]="libnetwork-setkey", [1]=<container-id>, [2]=<controller-id> }
+	// expecting 3 os.Args {[0]="libnetwork-setkey", [1]=<container-id>, [2]=<short-controller-id> }
 	// (i.e. expecting 2 flag.Args())
 	args := flag.Args()
 	if len(args) < 2 {
 		err = fmt.Errorf("Re-exec expects 2 args (after parsing flags), received : %d", len(args))
 		return
 	}
-	containerID, controllerID := args[0], args[1]
+	containerID, shortCtlrID := args[0], args[1]
 
 	// We expect specs.State as a json string in <stdin>
 	stateBuf, err := ioutil.ReadAll(os.Stdin)
@@ -60,16 +61,16 @@ func processSetKeyReexec() {
 		return
 	}
 
-	err = SetExternalKey(controllerID, containerID, fmt.Sprintf("/proc/%d/ns/net", state.Pid), *execRoot)
+	err = SetExternalKey(shortCtlrID, containerID, fmt.Sprintf("/proc/%d/ns/net", state.Pid), *execRoot)
 }
 
 // SetExternalKey provides a convenient way to set an External key to a sandbox
-func SetExternalKey(controllerID string, containerID string, key string, execRoot string) error {
+func SetExternalKey(shortCtlrID string, containerID string, key string, execRoot string) error {
 	keyData := setKeyData{
 		ContainerID: containerID,
 		Key:         key}
 
-	uds := filepath.Join(execRoot, execSubdir, controllerID+".sock")
+	uds := filepath.Join(execRoot, execSubdir, shortCtlrID+".sock")
 	c, err := net.Dial("unix", uds)
 	if err != nil {
 		return err
@@ -120,7 +121,8 @@ func (c *controller) startExternalKeyListener() error {
 	if err := os.MkdirAll(udsBase, 0600); err != nil {
 		return err
 	}
-	uds := filepath.Join(udsBase, c.id+".sock")
+	shortCtlrID := stringid.TruncateID(c.id)
+	uds := filepath.Join(udsBase, shortCtlrID+".sock")
 	l, err := net.Listen("unix", uds)
 	if err != nil {
 		return err
diff --git a/vendor/github.com/docker/libnetwork/store.go b/vendor/github.com/docker/libnetwork/store.go
index 0a7c5754d3..621bf507b9 100644
--- a/vendor/github.com/docker/libnetwork/store.go
+++ b/vendor/github.com/docker/libnetwork/store.go
@@ -80,30 +80,15 @@ func (c *controller) getStores() []datastore.DataStore {
 }
 
 func (c *controller) getNetworkFromStore(nid string) (*network, error) {
-	for _, store := range c.getStores() {
-		n := &network{id: nid, ctrlr: c}
-		err := store.GetObject(datastore.Key(n.Key()...), n)
-		// Continue searching in the next store if the key is not found in this store
-		if err != nil {
-			if err != datastore.ErrKeyNotFound {
-				logrus.Debugf("could not find network %s: %v", nid, err)
-			}
-			continue
-		}
-
-		ec := &endpointCnt{n: n}
-		err = store.GetObject(datastore.Key(ec.Key()...), ec)
-		if err != nil && !n.inDelete {
-			return nil, fmt.Errorf("could not find endpoint count for network %s: %v", n.Name(), err)
-		}
-
-		n.epCnt = ec
-		if n.scope == "" {
-			n.scope = store.Scope()
-		}
-		return n, nil
+	ns, err := c.getNetworksFromStore()
+	if err != nil {
+		return nil, err
+	}
+	for _, n := range ns {
+		if n.id == nid {
+			return n, nil
+		}
 	}
-
 	return nil, fmt.Errorf("network %s not found", nid)
 }