From owner-freebsd-net@freebsd.org Fri Mar 6 07:11:49 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C85BE26149B for ; Fri, 6 Mar 2020 07:11:49 +0000 (UTC) (envelope-from dk@neveragain.de) Received: from mail.neveragain.de (mail.neveragain.de [IPv6:2a03:4000:28:6cc::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48Yf1c0PtQz4XJ6; Fri, 6 Mar 2020 07:11:47 +0000 (UTC) (envelope-from dk@neveragain.de) Received: from [IPv6:2a02:908:113b:fb5c:b44d:9c3b:1d7a:bdf8] (unknown [IPv6:2a02:908:113b:fb5c:b44d:9c3b:1d7a:bdf8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.neveragain.de (Postfix) with ESMTPSA id BD3C3201C41; Fri, 6 Mar 2020 08:11:37 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=neveragain.de; s=2015-10; t=1583478697; bh=krfaDHg3FfBIkh3f04iOLGbGc9MdFv3IVfQ+wRaTQQg=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=aQ7x8VEYtgm1wv66YwkSdZG9KzRKymr9l6LKXlucSaKLczVUs04laLshdiu4R7Lv0 NEY1+nhvS6Ns6guFNXPci1hbr1f4RMoyrPl1pgwAOno7josKvWBDgRw/CXDT1Wkoeh iYJgx2oiLBAGsuJvACwN9eS+owmWtIjnH+JLr6TUJgG0L7IZX5SuLYj7gtC3dXDPmo gPsuYnZc7mf6qe1F4TXUpKh9k63R5v3qB/gwJWwM3E3M4AK1R1KRYtydci78rU8I00 K0iJ+FQRbRyO4KWs5vor4nqPj27UcPU1c1kiRbnksVeYivoHE16s7G8oMn1Px8R1MW 9aSUMTD5z+9dA== Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\)) Subject: Re: Revisiting FreeBSD-SA-08:10.nd6 (or: avoiding IPv6 pain) From: =?utf-8?Q?Dennis_K=C3=B6gel?= In-Reply-To: <20200305.155625.1199096393793640113.hrs@FreeBSD.org> Date: Fri, 6 Mar 2020 08:11:37 +0100 Cc: freebsd-net@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <23693606-3BEB-4130-96B7-1A12BA429E4A@neveragain.de> References: <523BA6CF-C2C3-4E55-B81C-CB8816E56DDE@neveragain.de> <20200305.155625.1199096393793640113.hrs@FreeBSD.org> To: Hiroki Sato X-Mailer: Apple Mail (2.3608.60.0.2.5) X-Rspamd-Queue-Id: 48Yf1c0PtQz4XJ6 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=neveragain.de header.s=2015-10 header.b=aQ7x8VEY; dmarc=pass (policy=none) header.from=neveragain.de; spf=pass (mx1.freebsd.org: domain of dk@neveragain.de designates 2a03:4000:28:6cc::25 as permitted sender) smtp.mailfrom=dk@neveragain.de X-Spamd-Result: default: False [-2.68 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[neveragain.de:s=2015-10]; NEURAL_HAM_MEDIUM(-0.75)[-0.755,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+a:mail.neveragain.de]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; MV_CASE(0.50)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; DKIM_TRACE(0.00)[neveragain.de:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[neveragain.de,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; IP_SCORE(-0.42)[ipnet: 2a03:4000::/32(-1.51), asn: 197540(-0.57), country: DE(-0.02)]; ASN(0.00)[asn:197540, ipnet:2a03:4000::/32, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Mar 2020 07:11:49 -0000 Am 05.03.2020 um 07:56 schrieb Hiroki Sato : > dk> I=E2=80=98ve spent quite some time debugging weird intermittent = IPv6 > dk> connectivity issues over the last few days. > dk>=20 > dk> It turned out that net.inet6.icmp6.nd6_onlink_ns_rfc4861=3D1 fixed = those > dk> problems. >=20 > What was the problem more specifically? In short, the uplink's router sent Neighbor Solicitations sometimes with = a public address as source - one of its addresses that is not = specifically on the link to my host. Which, to my current understanding, = is perfectly legal. FreeBSD by default considers this address to be a "non-neighbor" and = silently drops the packet. So from the uplink router's perspective, they = tried to reach my box, to learn the link-layer address, but my box did = not respond, therefore traffic could not be forwarded to me. After a while of being unreachable, the router retries from a fe80:: = address, which works fine, of course. This cycle happened every 30-120 = minutes, probably depending on traffic levels (neighbor cache). Only after studying tcpdump and getting a hunch and turning on nd6_debug = I started to understand what's happening. tcpdump: 23:30:54.175447 IP6 2001:db8:28::3 > 2001:db8:28:6cc::22:c: ICMP6, = neighbor solicitation, who has 2001:db8:28:6cc::22:c, length 32 23:30:55.171125 IP6 2001:db8:28::3 > 2001:db8:28:6cc::22:c: ICMP6, = neighbor solicitation, who has 2001:db8:28:6cc::22:c, length 32 23:30:56.171814 IP6 2001:db8:28::3 > 2001:db8:28:6cc::22:c: ICMP6, = neighbor solicitation, who has 2001:db8:28:6cc::22:c, length 32 23:31:05.184814 IP6 fe80::22d8:b00:8cee:ff4 > ff02::1:ff22:c: ICMP6, = neighbor solicitation, who has 2001:db8:28:6cc::22:c, length 32 23:31:05.184889 IP6 fe80::6472:6eff:fe45:12e1 > fe80::22d8:b00:8cee:ff4: = ICMP6, neighbor advertisement, tgt is 2001:db8:28:6cc::22:c, length 32 Let me know if you have further questions on the setup or the effects. - D.=