Strong host model in IPv6?
Alex Yong
annonymouse+freebsd at gmail.com
Fri Mar 9 15:28:17 UTC 2012
Hi all,
I've been playing around with IPv6 networking on FreeBSD release 8.2 and
found that there seems to be no strong incoming host model as specified in
RFC 1122.
I've spotted that in IPv4 there is the sysctl "net.inet.ip.check_interface"
which defaults to set, but I've been unable to find any guarantees that
strong host model is enforced in v6 in the comments or internet. According
to the IPv6 Core Protocols Implementation book (3.7 "Input processing:
ip6_input() Function") the incoming network packet processing in ip6_input
should use the routing table to look up whether packets are of relevance
for an interface - but the code base has diverged significantly since then
including vnets for jails which makes me wonder if this is a bug. However
before going into the long grass and trying to fix it I thought I'd ask
here to see if there's anything I could try first, if I'm making some
horrific mistakes, or if somebody had come across this already (I had a
quick look at svn but didn't see anything of concern).
My recipe for reproducing is thus:
One FreeBSD 8.2 machine (the box under test), with 2 network interfaces
(interface 0 and interface 1). interface 0 is connected to a subnet with
routes to the outside world on v4 and v6. Interface 1 is connected
directly via ethernet cable to the interface of a testing machine, with v4
disabled and a static v6 address for an unroutable subnet via the other
interface. A route is configured for this subnet out of interface 1 (to
allow for communications with the testing machine).
The testing machine (which happens to be running FreeBSD) has 2 network
interfaces (interface A and B). Interface A is connected to the same
subnet as interface 0 (this is for my administration prodding of the
testing device), and interface B is directly connected to interface 1 on
the machine under test. Interface B has a staticly configured IPv6 address
that matches the subnet of interface 1. It has a route to allow traffic to
flow this way, *and* a route configured to route traffic for the box under
tests interface 0 IPv6 address via interface B.
If I ping interface 0 from box 1, I get a response. To prove that the
response isn't coming in via the other links I used tcpdump on that
interface on the testing machine *and* the machine under test and showed
packets entering and responses leaving those interfaces. My expectation
here would be to see packets entering (as the bpf hook is below the IP
layer) but see no response.
I checked sysctl net.inet6.ip6.forwarding is set to 0 (on both machines).
Many thanks for any help
AlexY
More information about the freebsd-hackers
mailing list