Robert Elz <[email protected]> wrote: > It seems as if what is happening, is that the router is sending RA's with > the source-link addr option, which isn't being added to the neighbour > cache.
Yes, it looks like that's what's going on here. It seems that: A RS is sent by the node. The router replies with a RA, including the source link-layer address option. The node follows RFC4861: "If there is no existing Neighbor Cache entry for the solicitation's sender, the router creates one, installs the link- layer address and sets its reachability state to STALE as specified in Section 7.3.3." So now we have a STALE cache entry. So when we want to then send a packet, the node changes the state to DELAY and gives it a 5s expiration, and sends a NS. The router appears to either ignore the NS or treat it as a RS and instead of replying with a NA, sends a RA, again with the source link-layer address, which restarts the cycle. Now on Ubuntu, it looks like the node similarly marks the link address it learned via the RA into STALE state, moves it out of STALE into DELAY, but then, upon receiving the RA, changes it to REACHABLE without sending a NS. This appears to be in violation of RFC4861: "Receipt of other Neighbor Discovery messages, such as Router Advertisements and Neighbor Advertisement with the Solicited flag set to zero, MUST NOT be treated as a reachability confirmation." (The RAs do _not_ have the Solicited flag set.) So if this is correct, then it looks like (a) the router is misbehaving (it should send a NA when we so politely ask), and (b) at least Ubuntu is wrong in accepting an unsolicited RA as a reachability confirmation. Now the really strange thing then is that on FreeBSD, I notice that after the RA, it sends out a NS, and it receives a NA from the router! I can't make sense of this. Here are the three pcaps: http://www.netmeister.org/tmp/ubuntu.pcap http://www.netmeister.org/tmp/freebsd.pcap http://www.netmeister.org/tmp/netbsd.pcap All three on the same VPC talking to the same router. Btw, if you want to replicate the setup and have an AWS account, you can use ami-0018b2d98332ba7e3 (in us-east-1), which is the AMI I'm using here. -Jan
