From owner-freebsd-net@freebsd.org Sat Jun 13 02:37:35 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CC3A034DBAB for ; Sat, 13 Jun 2020 02:37:35 +0000 (UTC) (envelope-from freebsd@centromere.net) Received: from mx.centromere.net (centromere.net [204.246.123.23]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49kMFV6ypFz4PXq for ; Sat, 13 Jun 2020 02:37:34 +0000 (UTC) (envelope-from freebsd@centromere.net) Date: Fri, 12 Jun 2020 22:37:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=centromere.net; s=orion; t=1592015847; bh=FXNjAyTuKlRLJ6SlSDgi0b9C8aCze/3A/+otIpuU4Vs=; h=From:To:Subject:Message-ID:X-Mailer:MIME-Version:Content-Type; b=0ZSZwb1wGpIHvWZ18ZEphTFSfRUj0JIvuEC2yvumNix5GGCaCfCsR0Pb6QZktmn+S TJi9IPyUO7K8anUGDfeNwbltiZM5Uaoye08L6OCTZee3JAYfQRF22h52LRHQl6QvLB kvfZnC+kMd9U/RAOnYRwxOhKbm5OUr2mo++hdbADHSuRqzabwl03xWHR8giw0YU27p Fwj4Rv2XzMe+985JmHC5t0ZfF10dtqCRJ+lEzIptBjQORrx9WOJVvnl0xb9H1pNLdi lSGMPN3CO+TESPT2XIxyS82Vteuun7+P4imPtq3/SvEQ5b50/PV/Nw6EKS40zgmzGz jZUVsDfSKC48hRuWLybyhmNFtBFSmR4ULQB2/twTfYRxZRl2UelesVjLwJ9dWLAhl6 mxFwhh4L7+zBBdimax6Q/XW1+F1jPT5zxx0kc5UfYj4IiGwAE1mw170qeGTEX29vOn ijRI8/RNmP5SM2cch1LGp+CeMvBj8kf5QXSJjhEaq4QtnZPFUGTUDCFqepD9n3EiH9 kRQVZPpEKsD6qHf+PT9DwIFYVkCAG7JnMpugh096MXIgJgH1V8D6F5tcmwbcUqNMKi h0bNhggqJGl4ba0aZZ3NcHw7cO54DHibnWmHbAfYc8MyIrJe0zS2zCKagMK8b5i0AM FZsJF2cm7ggU8IgEfIKBsOhA= From: Alex To: freebsd-net@freebsd.org Subject: NDP Proxying Issue Message-ID: <20200612223724.1ebdf4d1@poseidon> X-Mailer: Claws Mail 3.17.4 (GTK+ 2.24.32; amd64-portbld-freebsd12.1) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 49kMFV6ypFz4PXq X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=centromere.net header.s=orion header.b=0ZSZwb1w; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsd@centromere.net designates 204.246.123.23 as permitted sender) smtp.mailfrom=freebsd@centromere.net X-Spamd-Result: default: False [-2.10 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.83)[-0.831]; R_DKIM_ALLOW(-0.20)[centromere.net:s=orion]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[centromere.net: no valid DMARC record]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.98)[-0.982]; DKIM_TRACE(0.00)[centromere.net:+]; NEURAL_HAM_SHORT(-0.29)[-0.286]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MID_RHS_NOT_FQDN(0.50)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:25720, ipnet:204.246.120.0/22, country:US] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Jun 2020 02:37:35 -0000 Hi, I am running FreeBSD 12.1-RELEASE on DigitalOcean, where my Droplet is assigned 16 IPv6 addresses (2604::0 --> 2604::f). I would like it to respond to neighbor solicitation requests from DO, even though the IP being solicited is not bound to any interface on the machine. Based on my research, this is exactly what NDP proxying is for, which is configured by the "ndp" tool. I already have one IPv6 address fully operational, and I see it listed in the output of "ndp -a" (IPs redacted): 2604::1 12:34:56:78:90:ff vtnet0 permanent R "12:34:56:78:90:ff" is the MAC address of vtnet0, the main public-facing interface of the machine. I have executed the following command: ndp -s 2604::2 12:34:56:78:90:ff proxy leading to the following output from "ndp -a": 2604::2 12:34:56:78:90:ff vtnet0 permanent R p This indicates to me that NDP proxying for this IP has been set up properly. When running tcpdump on vtnet0, and after attempting to connect to 2604::2 from a remote machine, I see the following: 02:25:04.068528 IP6 fe80::1 > ff02::2: ICMP6, neighbor solicitation, who has 2604::2, length 32 The ISP is properly asking if my machine has that address, however I never see a neighbor advertisement in response. Based on the fact that the "ndp -s" command succeeded and the entry is listed, why would this be? I have pf disabled. I am not aware of any sysctl variables that might prevent this from working. Regards, Alex