Re: ICMPv6 question
Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 01 September 2017 01:20 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C379132F0E for <ipv6@ietfa.amsl.com>; Thu, 31 Aug 2017 18:20:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RcN6akklG6kt for <ipv6@ietfa.amsl.com>; Thu, 31 Aug 2017 18:20:38 -0700 (PDT)
Received: from mail-pg0-x236.google.com (mail-pg0-x236.google.com [IPv6:2607:f8b0:400e:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1B3C133087 for <ipv6@ietf.org>; Thu, 31 Aug 2017 18:20:38 -0700 (PDT)
Received: by mail-pg0-x236.google.com with SMTP id b8so3679088pgn.5 for <ipv6@ietf.org>; Thu, 31 Aug 2017 18:20:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:organization:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=1pvYP3Y+8nEWP2HIs/alCGS97jWO0nrcgvBMG747oZA=; b=m1Ak0xjLH0zL0/EjKUHD9crvNLZgl0MSJxNuhtDfTeWjeRyEoofBGPvcy6Ar4G4Rvx gxthb8vv0BRAod9hdwZbsFOJ9lKfV9RK9xZv5KLZAKSjDpd1ZoObmt5KmF07kRPlFzD8 0WgnupiPKNwK2iB+HTbodwVrQBmnA+FNndEbbsaf97x5S3rrfWw2GUtd5lcdZTmSCgiG BAhV5eOo/zJ4VS7l36wN47K5jZgUAJ2XAt7Eu5KcI0sTCiQ7hymAdLw93oxdBIPqg0fT ggP2HyQigP+Dq9biNCN19f/c76I2Zb7HwmbF967wIeqCgnRMiyqB8gVxnf2SfWjtbD8Z OYug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=1pvYP3Y+8nEWP2HIs/alCGS97jWO0nrcgvBMG747oZA=; b=HJNIqpcsZzWSvSQoiWHuvlMsvyPcIDveyp5zSTPIwhCrWnM7eUKD3qbkqZ6zlbqO+B hY6KtHcxR72Xbi+qkyqdhYO9PJyGaYT24Nqdg7Wu1AoNaxGRi1SzUMkR7SQjLuQAe6DB 3t3WCnSXhLkE1VtCwIL9v6iVKax0t9oIry/1RvyXanhVcEmoFY1sQEMRd513G1RKmEE4 NkJdtf2XEqORx1GvVCF4AdcGs6J8J+djlZTFFYmi09L/1rtlH8aJZH2XV+k1FIoacnHq Nm6bQq+48ACqVE3C20FBWzmPDLi6d06qxsQ8+EoXVmI3SsqOJ7WLJl/p/sJN/TvH+UD3 0p9Q==
X-Gm-Message-State: AHPjjUjhhZysdOG00kkaSxS+IYFCITjfyTa6Ikt7dLMnx86qgTRvez3j BI8d4s5fuPVlKFUo
X-Google-Smtp-Source: ADKCNb6CSm7M7OaYLE2OVy7DqDOaPbl1X9FxuULxBG2L+WEJEFhqSHt+aG6wcQYWJQvTaR8WDtc1dQ==
X-Received: by 10.98.211.91 with SMTP id q88mr412818pfg.105.1504228837297; Thu, 31 Aug 2017 18:20:37 -0700 (PDT)
Received: from ?IPv6:2406:e007:5c9e:1:28cc:dc4c:9703:6781? ([2406:e007:5c9e:1:28cc:dc4c:9703:6781]) by smtp.gmail.com with ESMTPSA id a15sm1102076pfl.1.2017.08.31.18.20.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 31 Aug 2017 18:20:36 -0700 (PDT)
Subject: Re: ICMPv6 question
To: Mark Smith <markzzzsmith@gmail.com>, "Templin, Fred L" <Fred.L.Templin@boeing.com>
Cc: 6man WG <ipv6@ietf.org>
References: <952aab1a2c824a79b98a3f9d2b3a473a@XCH15-06-08.nw.nos.boeing.com> <CAO42Z2xYD-aQAQjFFFh2=iqF42izQw30NnTLPWAvpivFBGPkpg@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <862b7558-f0e5-93c9-8d93-b740af0ced6a@gmail.com>
Date: Fri, 01 Sep 2017 13:20:41 +1200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <CAO42Z2xYD-aQAQjFFFh2=iqF42izQw30NnTLPWAvpivFBGPkpg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/PneaRpMgKUBd8WVgIbgtG2voars>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Sep 2017 01:20:40 -0000
On 01/09/2017 12:26, Mark Smith wrote: > 2001:db8::f00 > > On 1 September 2017 at 09:07, Templin, Fred L <Fred.L.Templin@boeing.com> wrote: >> I have a question. If an IPV6 host with address 2001:db8::f00 assigned to an interface >> receives a packet with destination address 2001:db8::baa over that interface, what >> should it do? Drop the packet silently, or drop and return an ICMPv6 Destination >> Unreachable? >> > > Hmm, at face value it appears to be a simple question and the answer > would be DU. > > Looking at RFC4443, it limits generation of DUs to routers or the > packet source host: > > "A Destination Unreachable message SHOULD be generated by a router, or > by the IPv6 layer in the originating node, in response to a packet > that cannot be delivered to its destination address for reasons other > than congestion. (An ICMPv6 message MUST NOT be generated if a > packet is dropped due to congestion.)A Destination Unreachable > message SHOULD be generated by a router, or > by the IPv6 layer in the originating node, in response to a packet > that cannot be delivered to its destination address for reasons other > than congestion. (An ICMPv6 message MUST NOT be generated if a > packet is dropped due to congestion.)" > > > Per RFC8200 (a.k.a. new RFC2460), we have these definitions for a > router and a host > > router a node that forwards IPv6 packets not explicitly > addressed to itself. (See Note below.) > > host any node that is not a router. (See Note below.) > > > > A host is therefore to ignore "IPv6 packets not explicitly addressed > to itself", which I think means a host does not generate a DU for > misdirected packets. > > > I was wondering about how this could happen and I think there could be > two possible causes, > > - incorrect ND cache entry for 2001:db8::baa2001:db8::baa, somehow > with the link layer address of 2001:db8::f00 > > - host attached to one end of a point-to-point link, and the upstream > device (likely router) is blindly forwarding packets over the p2p link > assuming the destination is at the other end rather than performing ND > to discover and continue to verify the presence of the specific > addresses at the other end of the link (That's why I think ND should > be performed on p2p links. Even a /127 configured on one end of the > link doesn't guarantee the other address within the /127 is present. > If a router performed ND on p2p links, it could discover the DA for a > packet is not present and generate a DU for it.) You can induce this trivially with a /128 host route to 2001:db8::baa via 2001:db8::f00 (or via its LL address). I just tested this on a Windows machine, with the innocent victim being a Linux machine. TL;DR: The result was silent discard. Here's what happens in detail. I slightly obscured the GUA prefix: 1. No route installed, just sending a bogus ping: C:\windows\system32>ping 2406:e007:59ce:1::f00 Pinging 2406:e007:59ce:1::f00 with 32 bytes of data: Destination host unreachable. (In this case there was a failed Neighbor Discovery, of course.) 2. Install a host route via the GUA of the target: C:\windows\system32>route add 2406:e007:59ce:1::f00/128 2406:e007:59ce:1:5967:affa:3750:b289 OK! C:\windows\system32>ping 2406:e007:59ce:1::f00 Pinging 2406:e007:59ce:1::f00 with 32 bytes of data: Request timed out. 3. Replace that with a host route via the LLA of the target: C:\windows\system32>route delete 2406:e007:59ce:1::f00/128 2406:e007:59ce:1:5967:affa:3750:b289 OK! C:\windows\system32>route add 2406:e007:59ce:1::f00/128 fe80::9051:543a:4c9e:e93e OK! C:\windows\system32>ping 2406:e007:59ce:1::f00 Pinging 2406:e007:59ce:1::f00 with 32 bytes of data: Request timed out. I checked with WireShark, and the ICMP Echo Request messages were definitely sent to 2406:e007:59ce:1::f00 at the MAC address of the host known as 2406:e007:59ce:1:5967:affa:3750:b289 or fe80::9051:543a:4c9e:e93e, and there were no reply packets. Brian
- ICMPv6 question Templin, Fred L
- RE: ICMPv6 question Manfredi, Albert E
- RE: ICMPv6 question Templin, Fred L
- RE: ICMPv6 question Manfredi, Albert E
- Re: ICMPv6 question Mark Smith
- Re: ICMPv6 question Brian E Carpenter
- RE: ICMPv6 question Templin, Fred L
- Re: ICMPv6 question Alexandre Petrescu
- RE: ICMPv6 question Templin, Fred L
- Re: ICMPv6 question james woodyatt
- Re: ICMPv6 question Mark Andrews