FreeBSD does not reply to IPv6 Neighbor Solicitations

Victor Sudakov vas at sibptus.ru
Tue Jan 5 10:46:53 UTC 2021 

Lutz Donnerhacke wrote:
> Victor Sudakov wrote:
> > Paul Mather wrote:
> > > >>>> Why could it be that a FreeBSD 12.2 host does not reply to ICMPv6
> > > >>>> Neighbor Solicitations from the router?
> > 
> > Well, Neighbor Solicitations (ICMPv6 type 135) and Neighbor
> > Advertisements (ICMPv6 type 136) are not exactly routing messages, they
> > are the equivalent of the ARP protocol in IPv6, and AFAIK should work
> > between any two IPv6 nodes to map L3 addresses to L2 addresses, even if
> > there are no routers on the segment. Correct me if I'm wrong.
> 
> Correct.
> 
> > You may be right but then it is certainly a bug. Unfortunately I cannot
> > reproduce the problem with any reliability, this thing works more often
> > than not.
> 
> May you be able to capture the icmp6 traffic of this interface with respect
> to ND? I'm really interested in seeing, that the box does not respond to a
> given NS query.

Here you are http://admin.sibptus.ru/~vas/nd1.pcapng

> 
> There are various reasons, why this may happen, i.e. sender IP in the NS is
> out of prefix of the target IP. This may happen, if multiple prefixes are
> added to the interface. Some devices (like Cisco ASA) are very picky on
> matching source/target IPs. So it might be possible, that the problem is not
> the the FreeBSD box, but the querying device (Mircotik?)

Maybe. The Mikrotik sends neighbor solicitations from a link-local
address, as you can see in the packet dump above. Is this correct
behavior?

> 
> There is no problem with neighbour discovery without the ACCEPT_RTADV
> option. It simply works.

I thought as much.

> So it works in both directions.
> Please note, that the first NS query is coming from a link-local address and
> requesting a global IP. This will not always be answered by any device out
> there (especially if the roles are reversed)

Hmm, this is an interesting observation, please see the packet dump
above, what do you say?

And what do standards say, what should be the source address of a
neighbor solicitation when the target address is a global address?

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20210105/13b7a32e/attachment.sig>

More information about the freebsd-net mailing list