RE: ICMPv6 question
"Templin, Fred L" <Fred.L.Templin@boeing.com> Fri, 01 September 2017 16:39 UTC
Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EFA7132D4B for <ipv6@ietfa.amsl.com>; Fri, 1 Sep 2017 09:39:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.321
X-Spam-Level:
X-Spam-Status: No, score=-2.321 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f3hwf6ZJVR9d for <ipv6@ietfa.amsl.com>; Fri, 1 Sep 2017 09:39:40 -0700 (PDT)
Received: from phx-mbsout-02.mbs.boeing.net (phx-mbsout-02.mbs.boeing.net [130.76.184.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 769E5132D57 for <ipv6@ietf.org>; Fri, 1 Sep 2017 09:39:40 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by phx-mbsout-02.mbs.boeing.net (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with SMTP id v81GdcCv060829; Fri, 1 Sep 2017 09:39:39 -0700
Received: from XCH15-06-11.nw.nos.boeing.com (xch15-06-11.nw.nos.boeing.com [137.136.239.220]) by phx-mbsout-02.mbs.boeing.net (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id v81GdVdu060798 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=OK); Fri, 1 Sep 2017 09:39:31 -0700
Received: from XCH15-06-08.nw.nos.boeing.com (2002:8988:eede::8988:eede) by XCH15-06-11.nw.nos.boeing.com (2002:8988:efdc::8988:efdc) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Fri, 1 Sep 2017 09:39:30 -0700
Received: from XCH15-06-08.nw.nos.boeing.com ([137.136.238.222]) by XCH15-06-08.nw.nos.boeing.com ([137.136.238.222]) with mapi id 15.00.1320.000; Fri, 1 Sep 2017 09:39:30 -0700
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, Mark Smith <markzzzsmith@gmail.com>
CC: 6man WG <ipv6@ietf.org>
Subject: RE: ICMPv6 question
Thread-Topic: ICMPv6 question
Thread-Index: AdMirYG7EwN54XmxT+uCHTYv5GBqHgARiokAAAHhwYAAESES4A==
Date: Fri, 01 Sep 2017 16:39:30 +0000
Message-ID: <c391c4e9a1fc46d8b6fc258f40fe95e0@XCH15-06-08.nw.nos.boeing.com>
References: <952aab1a2c824a79b98a3f9d2b3a473a@XCH15-06-08.nw.nos.boeing.com> <CAO42Z2xYD-aQAQjFFFh2=iqF42izQw30NnTLPWAvpivFBGPkpg@mail.gmail.com> <862b7558-f0e5-93c9-8d93-b740af0ced6a@gmail.com>
In-Reply-To: <862b7558-f0e5-93c9-8d93-b740af0ced6a@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [137.136.248.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-TM-AS-MML: disable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/5a87FCok43ScGAaAoWWfgWqsJKg>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Sep 2017 16:39:42 -0000
Thanks Mark and Bert for the insights and thanks Brian for the actual experiments; your time and efforts are appreciated. To Bert's question, my concern is for a packet arriving with the link-layer destination address matching the host's MAC address and an IPv6 destination address *not* matching one of the host's IPv6 addresses. The packet would be handed up to the IP layer (i.e., whether or not it is also handed up to the packet filter) and would be dropped silently in the IP layer per Brian's verifications. Now I need to piece together what this means for a node that acts a little bit like a host and a little bit like a router... Fred > -----Original Message----- > From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com] > Sent: Thursday, August 31, 2017 6:21 PM > To: Mark Smith <markzzzsmith@gmail.com>; Templin, Fred L <Fred.L.Templin@boeing.com> > Cc: 6man WG <ipv6@ietf.org> > Subject: Re: ICMPv6 question > > On 01/09/2017 12:26, Mark Smith wrote: > > 2001:db8::f00 > > > > On 1 September 2017 at 09:07, Templin, Fred L <Fred.L.Templin@boeing.com> wrote: > >> I have a question. If an IPV6 host with address 2001:db8::f00 assigned to an interface > >> receives a packet with destination address 2001:db8::baa over that interface, what > >> should it do? Drop the packet silently, or drop and return an ICMPv6 Destination > >> Unreachable? > >> > > > > Hmm, at face value it appears to be a simple question and the answer > > would be DU. > > > > Looking at RFC4443, it limits generation of DUs to routers or the > > packet source host: > > > > "A Destination Unreachable message SHOULD be generated by a router, or > > by the IPv6 layer in the originating node, in response to a packet > > that cannot be delivered to its destination address for reasons other > > than congestion. (An ICMPv6 message MUST NOT be generated if a > > packet is dropped due to congestion.)A Destination Unreachable > > message SHOULD be generated by a router, or > > by the IPv6 layer in the originating node, in response to a packet > > that cannot be delivered to its destination address for reasons other > > than congestion. (An ICMPv6 message MUST NOT be generated if a > > packet is dropped due to congestion.)" > > > > > > Per RFC8200 (a.k.a. new RFC2460), we have these definitions for a > > router and a host > > > > router a node that forwards IPv6 packets not explicitly > > addressed to itself. (See Note below.) > > > > host any node that is not a router. (See Note below.) > > > > > > > > A host is therefore to ignore "IPv6 packets not explicitly addressed > > to itself", which I think means a host does not generate a DU for > > misdirected packets. > > > > > > I was wondering about how this could happen and I think there could be > > two possible causes, > > > > - incorrect ND cache entry for 2001:db8::baa2001:db8::baa, somehow > > with the link layer address of 2001:db8::f00 > > > > - host attached to one end of a point-to-point link, and the upstream > > device (likely router) is blindly forwarding packets over the p2p link > > assuming the destination is at the other end rather than performing ND > > to discover and continue to verify the presence of the specific > > addresses at the other end of the link (That's why I think ND should > > be performed on p2p links. Even a /127 configured on one end of the > > link doesn't guarantee the other address within the /127 is present. > > If a router performed ND on p2p links, it could discover the DA for a > > packet is not present and generate a DU for it.) > > You can induce this trivially with a /128 host route to 2001:db8::baa > via 2001:db8::f00 (or via its LL address). > > I just tested this on a Windows machine, with the innocent victim being > a Linux machine. TL;DR: The result was silent discard. > > Here's what happens in detail. I slightly obscured the GUA prefix: > > 1. No route installed, just sending a bogus ping: > > C:\windows\system32>ping 2406:e007:59ce:1::f00 > > Pinging 2406:e007:59ce:1::f00 with 32 bytes of data: > Destination host unreachable. > > (In this case there was a failed Neighbor Discovery, of course.) > > 2. Install a host route via the GUA of the target: > > C:\windows\system32>route add 2406:e007:59ce:1::f00/128 2406:e007:59ce:1:5967:affa:3750:b289 > OK! > > C:\windows\system32>ping 2406:e007:59ce:1::f00 > > Pinging 2406:e007:59ce:1::f00 with 32 bytes of data: > Request timed out. > > 3. Replace that with a host route via the LLA of the target: > > C:\windows\system32>route delete 2406:e007:59ce:1::f00/128 2406:e007:59ce:1:5967:affa:3750:b289 > OK! > > C:\windows\system32>route add 2406:e007:59ce:1::f00/128 fe80::9051:543a:4c9e:e93e > OK! > > C:\windows\system32>ping 2406:e007:59ce:1::f00 > > Pinging 2406:e007:59ce:1::f00 with 32 bytes of data: > Request timed out. > > I checked with WireShark, and the ICMP Echo Request messages were definitely > sent to 2406:e007:59ce:1::f00 at the MAC address of the host known as > 2406:e007:59ce:1:5967:affa:3750:b289 or fe80::9051:543a:4c9e:e93e, and > there were no reply packets. > > Brian > >
- ICMPv6 question Templin, Fred L
- RE: ICMPv6 question Manfredi, Albert E
- RE: ICMPv6 question Templin, Fred L
- RE: ICMPv6 question Manfredi, Albert E
- Re: ICMPv6 question Mark Smith
- Re: ICMPv6 question Brian E Carpenter
- RE: ICMPv6 question Templin, Fred L
- Re: ICMPv6 question Alexandre Petrescu
- RE: ICMPv6 question Templin, Fred L
- Re: ICMPv6 question james woodyatt
- Re: ICMPv6 question Mark Andrews