ipv6 default router Operation not permitted

Schrodinger schrodinger at konundrum.org
Wed Mar 13 16:27:04 UTC 2013 

On 2013/03/13 16:59, Mark Martinec wrote:

Hi Mark,

[...]

> 
> > Does adding the interface route not put the default gateway on-link
> > though ?
> 
> I don't think it does. The on-link state of an address comes
> from matching the address to a set of prefixes on an interface,
> or finding it in the ndp cache - perhaps as a result of receiving
> a redirect messages, or manually.
> 
> 
> RFC 4861 section 2.1.:
> 
> on-link - an address that is assigned to an interface on a
>           specified link.  A node considers an address to be
>           on-link if:
> 
>   - it is covered by one of the link's prefixes (e.g.,
>     as indicated by the on-link flag in the Prefix
>     Information option), or
> 
>   - a neighboring router specifies the address as the
>     target of a Redirect message, or
> 
>   - a Neighbor Advertisement message is received for
>     the (target) address, or
> 
>   - any Neighbor Discovery message is received from
>     the address.
> 

Quite correct and I had read through this last night but I only now see
that adding the route doesn't indicate the presence of the prefix on
that link. And >this< is the problem. Duh.

> 
> > Also from the information I have received, router advertisements may be
> > turned off in the future, my host should simply Neighbour Solicit for
> > the global scope unicast address of my default gateway.
> 
> A host would not send a Neighbour Solicitation for an address
> which is not considered on-link:
> 
> RFC 4861 section 7.2
> 
>   Address resolution is the process through which a node determines the
>   link-layer address of a neighbor given only its IP address.  Address
>   resolution is performed only on addresses that are determined to be
>   on-link and for which the sender does not know the corresponding
>   link-layer address (see Section 5.2).
> 

Again quite correct, I had read this as well trying to understand what
should happen. My thinking was that the host route should indicate to
FreeBSD that the default gateway is on that link but it is the
configuration of a prefix _ON_ an interface that does that.

This would be a "No Shit Sherlock" moment for me, thanks! :)

> 
> > was that because of the host route for the default gateway FreeBSD does
> > not solicit for the "on-link gateway" because the interface is not set 
> > to ACCEPT_RTADV. But that doesn't make immediate sense.
> > 
> > And as pointed out in previous emails without ACCEPT_RTADV for
> > re0 - FreeBSD does not perform this action.
> 
> The router's link-layer address is available in RA messages.
> If you turn off ACCEPT_RTADV (or if a router does not send them),
> the only way to obtain a router's link-layer address would be
> by sending a Neighbour Solicitation (which is only sent to an
> address which is considered on-link), or by manually placing
> it in the NDP cache.
> 

FreeBSD of course isn't performing ND for the default gateway because it
is not on the same link as my interface, regardless of what the routing
table says.

What I am confused about is that without ACCEPT_RTADV on re0, FreeBSD
doesn't perform Neighbour Solicitation for the default gateway but with
ACCEPT_RTADV it does ..... Why ? This is Neighbour Solicitation and not
Router Solicitation....

I understand that FreeBSD doesn't consider the defaulte gateway to be
"on-link" so it does not perform ND for it but why does it perform ND
when ACCEPT_RTADV is set on re0 ? "Surely" ACCEPT_RTADV only affects
Router Advertisements / Solicitations and not ND.

I have done packet captures and with ACCEPT_RTADV I see the initial
Neighbour Solicitation and the Neighbour Advertisement to and from my
default gateway.

Without ACCEPT_RTADV - FreeBSD simply doesn't try to perform ND for the
address. This is where I am uncertain if this is expected or not.

> > So again, what is the correct way ? I think this is a debate of IPv6
> > Protocol vs. IPv6 Policy vs. Network architecture.
> 
> I'm not sure, but it appears to me that adding the router's
> link-layer address to the NDP cache looks like the only
> reliable way, in absence or router advertisements.
> 

Yes, this would work and there is a configuration directive in rc.conf
to achieve this but what if the link layer address changes for my
default gateway ? Say a hardware failure and it changes, I would loose
IPv6 connectivity.

I guess a solution is to just ask OVH if they can continue to perform RA.

Cheers,
C.
-- 
+---------------------------------------------------------------+
Quidquid latine dictum sit, altum sonatur.
MSN: schro5 at hotmail.com
ICQ: 112562229
GPG: http://www.konundrum.org/schro.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 834 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20130313/31df8e5b/attachment.sig>

More information about the freebsd-net mailing list