On 06/12/16(Tue) 15:23, Alexander Bluhm wrote:
> On Mon, Nov 21, 2016 at 03:15:39PM +0100, Martin Pieuchot wrote:
> > naddy@ confirmed this diff fixes his tunnel mode setup, ok?
>
> IPv6 neighbor discovery over IPsec does not work reliably. It uses
> link-local, global and multicast addresses and depending on your
> flows and SA it either works or not.
>
> The (sizeof(*hip6) < ln->ln_hold->m_len) check is wrong, so the
> code used saddr6 = NULL before. With that and m_inject() it worked.
> We have a bug that was hiding a problem, but now the bug is not
> triggered anymore.
>
> Then there is RFC 2461 written in this old IPv6 spirit. If we have
> a bunch of address scopes, use the best matching address. Then
> chances are high, that autoconfiguration and featuritis works.
>
> SEND brings the issue to a new x509 certificate problem level.
>
> I am not sure what to do.
>
> mpi@ suggests to remove the IPv6 spirit and by accident it fixes
> naddy@'s problem. I am a bit reluctant to remove it. It is not a
> propper fix and may trigger problems elsewhere.
>
> In my IPv6+IPsec setup I use a separate unencrypted network for
> IKE, ESP and corresponding ND packets.
>
> For transparent mode I have no better solution than excluding ICMP6
> from the flow.
>
> At least we should put something into the ipsec.conf(5) man page.
This is still an issue, multiple diffs are floating around, could we
commit a fix?
> > > Index: netinet6/nd6_nbr.c
> > > ===================================================================
> > > RCS file: /cvs/src/sys/netinet6/nd6_nbr.c,v
> > > retrieving revision 1.110
> > > diff -u -p -r1.110 nd6_nbr.c
> > > --- netinet6/nd6_nbr.c 23 Aug 2016 11:03:10 -0000 1.110
> > > +++ netinet6/nd6_nbr.c 4 Nov 2016 09:02:47 -0000
> > > @@ -433,54 +433,23 @@ nd6_ns_output(struct ifnet *ifp, struct
> > > }
> > > ip6->ip6_dst = dst_sa.sin6_addr;
> > > if (!dad) {
> > > - /*
> > > - * RFC2461 7.2.2:
> > > - * "If the source address of the packet prompting the
> > > - * solicitation is the same as one of the addresses assigned
> > > - * to the outgoing interface, that address SHOULD be placed
> > > - * in the IP Source Address of the outgoing solicitation.
> > > - * Otherwise, any one of the addresses assigned to the
> > > - * interface should be used."
> > > - *
> > > - * We use the source address for the prompting packet
> > > - * (saddr6), if:
> > > - * - saddr6 is given from the caller (by giving "ln"), and
> > > - * - saddr6 belongs to the outgoing interface.
> > > - * Otherwise, we perform the source address selection as usual.
> > > - */
> > > - struct ip6_hdr *hip6; /* hold ip6 */
> > > - struct in6_addr *saddr6;
> > > + /* Perform source address selection. */
> > > + struct rtentry *rt;
> > >
> > > - if (ln && ln->ln_hold) {
> > > - hip6 = mtod(ln->ln_hold, struct ip6_hdr *);
> > > - /* XXX pullup? */
> > > - if (sizeof(*hip6) < ln->ln_hold->m_len)
> > > - saddr6 = &hip6->ip6_src;
> > > - else
> > > - saddr6 = NULL;
> > > - } else
> > > - saddr6 = NULL;
> > > - if (saddr6 && in6ifa_ifpwithaddr(ifp, saddr6))
> > > - src_sa.sin6_addr = *saddr6;
> > > - else {
> > > - struct rtentry *rt;
> > > + rt = rtalloc(sin6tosa(&dst_sa), RT_RESOLVE,
> > > + m->m_pkthdr.ph_rtableid);
> > > + if (!rtisvalid(rt)) {
> > > + char addr[INET6_ADDRSTRLEN];
> > >
> > > - rt = rtalloc(sin6tosa(&dst_sa), RT_RESOLVE,
> > > - m->m_pkthdr.ph_rtableid);
> > > - if (!rtisvalid(rt)) {
> > > - char addr[INET6_ADDRSTRLEN];
> > > -
> > > - nd6log((LOG_DEBUG,
> > > - "%s: source can't be determined: dst=%s\n",
> > > - __func__, inet_ntop(AF_INET6,
> > > - &dst_sa.sin6_addr, addr, sizeof(addr))));
> > > - rtfree(rt);
> > > - goto bad;
> > > - }
> > > - src_sa.sin6_addr =
> > > - ifatoia6(rt->rt_ifa)->ia_addr.sin6_addr;
> > > + nd6log((LOG_DEBUG,
> > > + "%s: source can't be determined: dst=%s\n",
> > > + __func__, inet_ntop(AF_INET6,
> > > + &dst_sa.sin6_addr, addr, sizeof(addr))));
> > > rtfree(rt);
> > > + goto bad;
> > > }
> > > + src_sa.sin6_addr = ifatoia6(rt->rt_ifa)->ia_addr.sin6_addr;
> > > + rtfree(rt);
> > > } else {
> > > /*
> > > * Source address for DAD packet must always be IPv6
> > >
>
