Date: Fri, 6 Mar 2020 08:11:37 +0100 From: =?utf-8?Q?Dennis_K=C3=B6gel?= <dk@neveragain.de> To: Hiroki Sato <hrs@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: Revisiting FreeBSD-SA-08:10.nd6 (or: avoiding IPv6 pain) Message-ID: <23693606-3BEB-4130-96B7-1A12BA429E4A@neveragain.de> In-Reply-To: <20200305.155625.1199096393793640113.hrs@FreeBSD.org> References: <523BA6CF-C2C3-4E55-B81C-CB8816E56DDE@neveragain.de> <20200305.155625.1199096393793640113.hrs@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 05.03.2020 um 07:56 schrieb Hiroki Sato <hrs@freebsd.org>: > dk> I=E2=80=98ve spent quite some time debugging weird intermittent = IPv6 > dk> connectivity issues over the last few days. > dk>=20 > dk> It turned out that net.inet6.icmp6.nd6_onlink_ns_rfc4861=3D1 fixed = those > dk> problems. >=20 > What was the problem more specifically? In short, the uplink's router sent Neighbor Solicitations sometimes with = a public address as source - one of its addresses that is not = specifically on the link to my host. Which, to my current understanding, = is perfectly legal. FreeBSD by default considers this address to be a "non-neighbor" and = silently drops the packet. So from the uplink router's perspective, they = tried to reach my box, to learn the link-layer address, but my box did = not respond, therefore traffic could not be forwarded to me. After a while of being unreachable, the router retries from a fe80:: = address, which works fine, of course. This cycle happened every 30-120 = minutes, probably depending on traffic levels (neighbor cache). Only after studying tcpdump and getting a hunch and turning on nd6_debug = I started to understand what's happening. tcpdump: 23:30:54.175447 IP6 2001:db8:28::3 > 2001:db8:28:6cc::22:c: ICMP6, = neighbor solicitation, who has 2001:db8:28:6cc::22:c, length 32 23:30:55.171125 IP6 2001:db8:28::3 > 2001:db8:28:6cc::22:c: ICMP6, = neighbor solicitation, who has 2001:db8:28:6cc::22:c, length 32 23:30:56.171814 IP6 2001:db8:28::3 > 2001:db8:28:6cc::22:c: ICMP6, = neighbor solicitation, who has 2001:db8:28:6cc::22:c, length 32 23:31:05.184814 IP6 fe80::22d8:b00:8cee:ff4 > ff02::1:ff22:c: ICMP6, = neighbor solicitation, who has 2001:db8:28:6cc::22:c, length 32 23:31:05.184889 IP6 fe80::6472:6eff:fe45:12e1 > fe80::22d8:b00:8cee:ff4: = ICMP6, neighbor advertisement, tgt is 2001:db8:28:6cc::22:c, length 32 Let me know if you have further questions on the setup or the effects. - D.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?23693606-3BEB-4130-96B7-1A12BA429E4A>