icmp6_reflect misbehaviour ?

Discussion:

Arnaud BRAND

2018-11-27 22:25:08 UTC

Good evening everyone,

I am stuck with a IPv6 traceroute problem in an OSPFv3 environment.

Long story short :
- IPv6 routes are propagated using OSPFv3
- so they are installed with link-local gateways in the fib
- ICMPv6 "time exceeded" packets are generated with link-local source
address
- these packets are not to be routed so they do not get past the next
hop
- the endpoint never receives the "time exceeded packets"

This of course is only true if the router generating the icmp packet is
not the endpoint, but only a hop in the path.

I checked the code (or at least tried to).
It seems like it's in function icmp6_reflect in file icmp6.c at lines
1144/1147.

This code (if I understood it correctly) :
- fetches the route to the destination
- gets the interface source address for this route
- uses it as the source for the generated IP packet

As my routes are installed with link-local addresses by OSPFv3, I get a
generated packet with a link local source-address.
The problem is when the destination is not on the local subnet : the
generated packet is unroutable and never makes it to its destination

Would it be better to try to find another address on the interface that
is not link local if the destination address isn't on the interface
subnets ?
Sadly, I can't provide a patch, sorry, I'm not that skilled in OpenBSD.

I thought of a pf trickery like :
pass out quick inet6 proto icmp6 from fe80::/10 to any icmp6-type timex
nat-to lo1
but that won't work because the generated packet itself will be matching
a state and this rule won't even be evaluated.

Does anyone have an idea how I could get these icmp6 packets to reach
their destination ?

Thanks for your help !
Arnaud

Stuart Henderson

2018-11-28 17:48:49 UTC

Permalink

Post by Arnaud BRAND
Good evening everyone,
I am stuck with a IPv6 traceroute problem in an OSPFv3 environment.
- IPv6 routes are propagated using OSPFv3
- so they are installed with link-local gateways in the fib
- ICMPv6 "time exceeded" packets are generated with link-local source
address
- these packets are not to be routed so they do not get past the next
hop
- the endpoint never receives the "time exceeded packets"
This of course is only true if the router generating the icmp packet is
not the endpoint, but only a hop in the path.
I checked the code (or at least tried to).
It seems like it's in function icmp6_reflect in file icmp6.c at lines
1144/1147.
- fetches the route to the destination
- gets the interface source address for this route
- uses it as the source for the generated IP packet
As my routes are installed with link-local addresses by OSPFv3, I get a
generated packet with a link local source-address.
The problem is when the destination is not on the local subnet : the
generated packet is unroutable and never makes it to its destination
Would it be better to try to find another address on the interface that
is not link local if the destination address isn't on the interface
subnets ?
Sadly, I can't provide a patch, sorry, I'm not that skilled in OpenBSD.
pass out quick inet6 proto icmp6 from fe80::/10 to any icmp6-type timex
nat-to lo1
but that won't work because the generated packet itself will be matching
a state and this rule won't even be evaluated.
Does anyone have an idea how I could get these icmp6 packets to reach
their destination ?
Thanks for your help !
Arnaud

Known problem, no known workaround. I tried hard to find a way to do
this with PF but I don't think there is one.

bluhm@ pointed out "pf with IPv6 link-local addresses does not
work properly. I think it cannot parse the %if suffixes. The KAME hack
scope id is not handled" in my previous thread on this
(https://marc.info/?t=153875386500001&r=1&w=2).

Arnaud BRAND

2018-11-28 18:01:41 UTC

Permalink

Post by Stuart Henderson

Known problem, no known workaround. I tried hard to find a way to do
this with PF but I don't think there is one.
work properly. I think it cannot parse the %if suffixes. The KAME hack
scope id is not handled" in my previous thread on this
(https://marc.info/?t=153875386500001&r=1&w=2).

Thanks Stuart !
God, I can't understand how I missed this one.
What are you guys using as a search engine to find theses messages ?

I was looking at adding a call to in6_ifawithscope() after line 1144 in
icmp6_reflect.
Sadly I had no time to do it/test it today.
Don't you reckon this would/could work ?

Martin Pieuchot

2018-11-28 20:33:23 UTC

Permalink

That could be a solution. But if you do that, why don't you attach the
routes to a routable address in the first place?

Why is ospfd(8) not doing that?

Arnaud BRAND

2018-11-28 21:17:52 UTC

Permalink

Post by Martin Pieuchot

That could be a solution. But if you do that, why don't you attach the
routes to a routable address in the first place?
Why is ospfd(8) not doing that?

I'm not 100% sure, but afaik that's standard behavior for ospf6d.
At least that's what I have seen on the few different brands I've worked
with so far.

The old thread contains more information imho, so I'm gonna revive it.

Stuart Henderson

2018-11-28 21:31:01 UTC

Permalink

Post by Martin Pieuchot
That could be a solution. But if you do that, why don't you attach the
routes to a routable address in the first place?
Why is ospfd(8) not doing that?

It's how the OSPFv3 protocol works for IPv6 addresses, it doesn't know
the globally-routable address for the interface (AFAIK it doesn't even
*need* a globally routable address on the interface - can just have
link-locals there and one global address, e.g. just on a loopback
address).

Claudio Jeker

2018-11-28 21:33:38 UTC

Permalink

Post by Martin Pieuchot

That could be a solution. But if you do that, why don't you attach the
routes to a routable address in the first place?
Why is ospfd(8) not doing that?

ospf6d is using link-local addresses for nexthops because the standard
says so. It is indeed an annoyance that some systems bypass by using a
loopback IP for all ICMP packates.

--
:wq Claudio