Le 2018-11-28 18:48, Stuart Henderson a écrit :
On 2018-11-27, Arnaud BRAND <arnaud.brand--o...@tib.cc> wrote:
Good evening everyone,
I am stuck with a IPv6 traceroute problem in an OSPFv3 environment.
Long story short :
- IPv6 routes are propagated using OSPFv3
- so they are installed with link-local gateways in the fib
- ICMPv6 "time exceeded" packets are generated with link-local source
address
- these packets are not to be routed so they do not get past the next
hop
- the endpoint never receives the "time exceeded packets"
This of course is only true if the router generating the icmp packet
is
not the endpoint, but only a hop in the path.
I checked the code (or at least tried to).
It seems like it's in function icmp6_reflect in file icmp6.c at lines
1144/1147.
This code (if I understood it correctly) :
- fetches the route to the destination
- gets the interface source address for this route
- uses it as the source for the generated IP packet
As my routes are installed with link-local addresses by OSPFv3, I get
a
generated packet with a link local source-address.
The problem is when the destination is not on the local subnet : the
generated packet is unroutable and never makes it to its destination
Would it be better to try to find another address on the interface
that
is not link local if the destination address isn't on the interface
subnets ?
Sadly, I can't provide a patch, sorry, I'm not that skilled in
OpenBSD.
I thought of a pf trickery like :
pass out quick inet6 proto icmp6 from fe80::/10 to any icmp6-type
timex
nat-to lo1
but that won't work because the generated packet itself will be
matching
a state and this rule won't even be evaluated.
Does anyone have an idea how I could get these icmp6 packets to reach
their destination ?
Thanks for your help !
Arnaud
Known problem, no known workaround. I tried hard to find a way to do
this with PF but I don't think there is one.
bluhm@ pointed out "pf with IPv6 link-local addresses does not
work properly. I think it cannot parse the %if suffixes. The KAME hack
scope id is not handled" in my previous thread on this
(https://marc.info/?t=153875386500001&r=1&w=2).
Thanks Stuart !
God, I can't understand how I missed this one.
What are you guys using as a search engine to find theses messages ?
I was looking at adding a call to in6_ifawithscope() after line 1144 in
icmp6_reflect.
Sadly I had no time to do it/test it today.
Don't you reckon this would/could work ?
