On Thu, Oct 06, 2016 at 11:12:18PM +0200, Christian Weisgerber wrote: > Something is very broken at the intersection of IPv6, NDP, and IPsec > in -current.
I also see issues with IPv6 and NDP, but no IPsec involved. There are several other threads on bugs@ about broken IPv6. It seems that sending neighbor solicitation retries for expired ND entries does not work. The diff below helps in my case, although it is only a workaround and not MP safe. It would be interesting to know wether it also affects your scenario. The RTF_CACHED code was introduced with this commit: ---------------------------- revision 1.190 date: 2016/08/22 16:01:52; author: mpi; state: Exp; lines: +24 -6; commitid: Jx7agqiuXqs8RRGd; Make the ``rt_gwroute'' pointer of RTF_GATEWAY entries immutable. This means that no protection is needed to guarantee that the next hop route wont be modified by CPU1 while CPU0 is dereferencing it in a L2 resolution functions. While here also fix an ``ifa'' leak resulting in RTF_GATEWAY being always invalid. dlg@ likes it, inputs and ok bluhm@ ---------------------------- bluhm Index: netinet6/nd6.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/nd6.c,v retrieving revision 1.193 diff -u -p -r1.193 nd6.c --- netinet6/nd6.c 3 Oct 2016 12:33:21 -0000 1.193 +++ netinet6/nd6.c 13 Oct 2016 21:47:25 -0000 @@ -827,7 +827,7 @@ nd6_free(struct rtentry *rt, int gc) * caches, and disable the route entry not to be used in already * cached routes. */ - if (!ISSET(rt->rt_flags, RTF_STATIC|RTF_CACHED)) + if (!ISSET(rt->rt_flags, RTF_STATIC)) rtdeletemsg(rt, ifp, ifp->if_rdomain); splx(s);