Revisiting FreeBSD-SA-08:10.nd6 (or: avoiding IPv6 pain)

[Dennis Kögel]

Am 05.03.2020 um 07:56 schrieb Hiroki Sato <hrs at freebsd.org>:
> dk> I‘ve spent quite some time debugging weird intermittent IPv6
> dk> connectivity issues over the last few days.
> dk> 
> dk> It turned out that net.inet6.icmp6.nd6_onlink_ns_rfc4861=1 fixed those
> dk> problems.
> 
> What was the problem more specifically?

In short, the uplink's router sent Neighbor Solicitations sometimes with a public address as source - one of its addresses that is not specifically on the link to my host. Which, to my current understanding, is perfectly legal.

FreeBSD by default considers this address to be a "non-neighbor" and silently drops the packet. So from the uplink router's perspective, they tried to reach my box, to learn the link-layer address, but my box did not respond, therefore traffic could not be forwarded to me.

After a while of being unreachable, the router retries from a fe80:: address, which works fine, of course. This cycle happened every 30-120 minutes, probably depending on traffic levels (neighbor cache).

Only after studying tcpdump and getting a hunch and turning on nd6_debug I started to understand what's happening.

tcpdump:

23:30:54.175447 IP6 2001:db8:28::3 > 2001:db8:28:6cc::22:c: ICMP6, neighbor solicitation, who has 2001:db8:28:6cc::22:c, length 32
23:30:55.171125 IP6 2001:db8:28::3 > 2001:db8:28:6cc::22:c: ICMP6, neighbor solicitation, who has 2001:db8:28:6cc::22:c, length 32
23:30:56.171814 IP6 2001:db8:28::3 > 2001:db8:28:6cc::22:c: ICMP6, neighbor solicitation, who has 2001:db8:28:6cc::22:c, length 32
23:31:05.184814 IP6 fe80::22d8:b00:8cee:ff4 > ff02::1:ff22:c: ICMP6, neighbor solicitation, who has 2001:db8:28:6cc::22:c, length 32
23:31:05.184889 IP6 fe80::6472:6eff:fe45:12e1 > fe80::22d8:b00:8cee:ff4: ICMP6, neighbor advertisement, tgt is 2001:db8:28:6cc::22:c, length 32

Let me know if you have further questions on the setup or the effects.

- D.