On Mon, Nov 21, 2016 at 03:15:39PM +0100, Martin Pieuchot wrote:
> naddy@ confirmed this diff fixes his tunnel mode setup, ok?
IPv6 neighbor discovery over IPsec does not work reliably. It uses
link-local, global and multicast addresses and depending on your
flows and SA it either works or not.
The (sizeof(*hip6) < ln->ln_hold->m_len) check is wrong, so the
code used saddr6 = NULL before. With that and m_inject() it worked.
We have a bug that was hiding a problem, but now the bug is not
triggered anymore.
Then there is RFC 2461 written in this old IPv6 spirit. If we have
a bunch of address scopes, use the best matching address. Then
chances are high, that autoconfiguration and featuritis works.
SEND brings the issue to a new x509 certificate problem level.
I am not sure what to do.
mpi@ suggests to remove the IPv6 spirit and by accident it fixes
naddy@'s problem. I am a bit reluctant to remove it. It is not a
propper fix and may trigger problems elsewhere.
In my IPv6+IPsec setup I use a separate unencrypted network for
IKE, ESP and corresponding ND packets.
For transparent mode I have no better solution than excluding ICMP6
from the flow.
At least we should put something into the ipsec.conf(5) man page.
bluhm
>
> > Index: netinet6/nd6_nbr.c
> > ===
> > RCS file: /cvs/src/sys/netinet6/nd6_nbr.c,v
> > retrieving revision 1.110
> > diff -u -p -r1.110 nd6_nbr.c
> > --- netinet6/nd6_nbr.c 23 Aug 2016 11:03:10 - 1.110
> > +++ netinet6/nd6_nbr.c 4 Nov 2016 09:02:47 -
> > @@ -433,54 +433,23 @@ nd6_ns_output(struct ifnet *ifp, struct
> > }
> > ip6->ip6_dst = dst_sa.sin6_addr;
> > if (!dad) {
> > - /*
> > -* RFC2461 7.2.2:
> > -* "If the source address of the packet prompting the
> > -* solicitation is the same as one of the addresses assigned
> > -* to the outgoing interface, that address SHOULD be placed
> > -* in the IP Source Address of the outgoing solicitation.
> > -* Otherwise, any one of the addresses assigned to the
> > -* interface should be used."
> > -*
> > -* We use the source address for the prompting packet
> > -* (saddr6), if:
> > -* - saddr6 is given from the caller (by giving "ln"), and
> > -* - saddr6 belongs to the outgoing interface.
> > -* Otherwise, we perform the source address selection as usual.
> > -*/
> > - struct ip6_hdr *hip6; /* hold ip6 */
> > - struct in6_addr *saddr6;
> > +/* Perform source address selection. */
> > + struct rtentry *rt;
> >
> > - if (ln && ln->ln_hold) {
> > - hip6 = mtod(ln->ln_hold, struct ip6_hdr *);
> > - /* XXX pullup? */
> > - if (sizeof(*hip6) < ln->ln_hold->m_len)
> > - saddr6 = &hip6->ip6_src;
> > - else
> > - saddr6 = NULL;
> > - } else
> > - saddr6 = NULL;
> > - if (saddr6 && in6ifa_ifpwithaddr(ifp, saddr6))
> > - src_sa.sin6_addr = *saddr6;
> > - else {
> > - struct rtentry *rt;
> > + rt = rtalloc(sin6tosa(&dst_sa), RT_RESOLVE,
> > + m->m_pkthdr.ph_rtableid);
> > + if (!rtisvalid(rt)) {
> > + char addr[INET6_ADDRSTRLEN];
> >
> > - rt = rtalloc(sin6tosa(&dst_sa), RT_RESOLVE,
> > - m->m_pkthdr.ph_rtableid);
> > - if (!rtisvalid(rt)) {
> > - char addr[INET6_ADDRSTRLEN];
> > -
> > - nd6log((LOG_DEBUG,
> > - "%s: source can't be determined: dst=%s\n",
> > - __func__, inet_ntop(AF_INET6,
> > - &dst_sa.sin6_addr, addr, sizeof(addr;
> > - rtfree(rt);
> > - goto bad;
> > - }
> > - src_sa.sin6_addr =
> > - ifatoia6(rt->rt_ifa)->ia_addr.sin6_addr;
> > + nd6log((LOG_DEBUG,
> > + "%s: source can't be determined: dst=%s\n",
> > + __func__, inet_ntop(AF_INET6,
> > + &dst_sa.sin6_addr, addr, sizeof(addr;
> > rtfree(rt);
> > + goto bad;
> > }
> > + src_sa.sin6_addr = ifatoia6(rt->rt_ifa)->ia_addr.sin6_addr;
> > + rtfree(rt);
> > } else {
> > /*
> > * Source address for DAD packet must always be IPv6
> >
