Page MenuHomeFreeBSD
Differential D55885

ndp: don't send unsolicited NA for multicast address
ClosedPublic
Actions

Authored by pouria on Mon, Mar 16, 9:00 PM.

Details

Reviewers
glebius
bz
adrian
zlei
Group Reviewers
network
Commits
rG7b9bb32d1cc6: ndp: don't send unsolicited NA for multicast address
Summary

During link-layer address change event, don't send unsolicited
NA for multicast and linklocal addresses.

Test Plan

Run:

kyua test -k /usr/tests/Kyuafile sys/netinet6

or simply change mac address of your interface:

ifconfig vtnet0 ether 11:22:33:44:55:66

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

pouria created this revision.Mon, Mar 16, 9:00 PM
Herald added subscribers: melifaro, ae, imp. · View Herald TranscriptMon, Mar 16, 9:00 PM
pouria requested review of this revision.Mon, Mar 16, 9:00 PM
Harbormaster completed remote builds in B71434: Diff 173770.Mon, Mar 16, 9:00 PM
pouria added a comment.EditedMon, Mar 16, 10:09 PM

This change also fixes a panic produced in main from kyua tests.

[root@ftsr1] [~] # kyua --config /usr/local/etc/kyua.conf test -k /usr/tests/Kyuafile sys/net
Results file id is usr_tests.20260316-214508-051017
Results saved to /root/.kyua/store/results.usr_tests.20260316-214508-051017.db

139/147 passed (0 broken, 2 failed, 6 skipped)
[root@ftsr1] [~] # kyua --config /usr/local/etc/kyua.conf test -k /usr/tests/Kyuafile sys/netinet6
Results file id is usr_tests.20260316-222610-373655
Results saved to /root/.kyua/store/results.usr_tests.20260316-222610-373655.db

83/84 passed (0 broken, 0 failed, 1 skipped)
adrian accepted this revision as: adrian.Tue, Mar 17, 1:56 AM
This revision is now accepted and ready to land.Tue, Mar 17, 1:56 AM
zlei added a subscriber: zlei.Tue, Mar 17, 2:25 AM
zlei added inline comments.
sys/netinet6/nd6.c
243

I think it is right to not send unsolicited NA for multicast address, but I expect the opposite for linklocal address.

My local test show no unsolicited NA sent for linklocal address, hence the peer get stale ndp entry and can not reach after the ether address changed. That appears wrong to me.

pouria added a comment.Tue, Mar 17, 7:10 AM

In addition to comments:
If you check the pcap during grand, you'll see the grand itself will send its NA using link-local addresses.
Therefore, without GRAND, it should hint our NUD to update its NCE.
That is another reason for why our NUD is the problem not the GRAND.

Until I fix our NUD, I'll remove the link-local check for now.

sys/netinet6/nd6.c
243

I think it is right to not send unsolicited NA for multicast address, but I expect the opposite for linklocal address.

Thank you for your test.
This is actually also valid for link-local addresses, as defined in RFC9131:
It should be noted that the mechanism discussed in this document allows hosts to proactively inform their routers about global IPv6 addresses existing on-link.

My local test show no unsolicited NA sent for linklocal address, hence the peer get stale ndp entry and can not reach after the ether address changed. That appears wrong to me.

Ensuring whether the ndp cache is still valid or not is the job of NUD and as it's outlined in rfc9898, section 3.9:
GRAND eliminates the router forwarding delay, but it does not solve other Router-NCE-on-Demand issues.

So, the primarily issue is forwarding delay from receive path.
The GRAND by nature is a performance optimization mostly targeted on global scoped addresses.

However, as you have already found out through your tests, our NUD implementation is not robust enough to detect such changes and may remain stuck in STALE for a long time.
Therefore, I'll remove this link-local check for now, but after optimizing the NUD implementation, we may want to avoid sending grand for link-local addresses eventually.

pouria updated this revision to Diff 173791.Tue, Mar 17, 7:11 AM

Remove link-local check

This revision now requires review to proceed.Tue, Mar 17, 7:11 AM
Harbormaster completed remote builds in B71450: Diff 173791.Tue, Mar 17, 7:11 AM
pouria added a reviewer: zlei.Tue, Mar 17, 8:16 AM
pouria marked an inline comment as done.Tue, Mar 17, 8:25 AM
zlei accepted this revision as: zlei.Tue, Mar 17, 8:43 AM

The link-local check here is also redundant. You have already checked the scope of the address in nd6_grand_start(). So if the address is global one, it must not be a link-local one.

nd6_grand_start(struct ifaddr *ifa, uint32_t flags)
{
...
        /* Check if new address is global */
        if ((flags & ND6_QUEUE_FLAG_NEWGUA) != 0 &&
            in6_addrscope(IFA_IN6(ifa)) != IPV6_ADDR_SCOPE_GLOBAL)
                return;
...
}
This revision is now accepted and ready to land.Tue, Mar 17, 8:43 AM
pouria added a comment.Tue, Mar 17, 8:45 AM
In D55885#1278782, @zlei wrote:

The link-local check here is also redundant. You have already checked the scope of the address in nd6_grand_start(). So if the address is global one, it must not be a link-local one.

nd6_grand_start(struct ifaddr *ifa, uint32_t flags)
{
...
        /* Check if new address is global */
        if ((flags & ND6_QUEUE_FLAG_NEWGUA) != 0 &&
            in6_addrscope(IFA_IN6(ifa)) != IPV6_ADDR_SCOPE_GLOBAL)
                return;
...
}

You're right! what a brain glitch!
Thank you!

pouria added a comment.EditedTue, Mar 17, 8:51 AM
In D55885#1278785, @pouria wrote:
In D55885#1278782, @zlei wrote:

The link-local check here is also redundant. You have already checked the scope of the address in nd6_grand_start(). So if the address is global one, it must not be a link-local one.

nd6_grand_start(struct ifaddr *ifa, uint32_t flags)
{
...
        /* Check if new address is global */
        if ((flags & ND6_QUEUE_FLAG_NEWGUA) != 0 &&
            in6_addrscope(IFA_IN6(ifa)) != IPV6_ADDR_SCOPE_GLOBAL)
                return;
...
}

You're right! what a brain glitch!
Thank you!

Oh no, I reacted too fast, this shows I don't trust my own memory :)
This check only applies for new address event, not link-layer address change.

Closed by commit rG7b9bb32d1cc6: ndp: don't send unsolicited NA for multicast address (authored by pouria). · Explain WhyTue, Mar 17, 8:52 AM
This revision was automatically updated to reflect the committed changes.
pouria added a commit: rG7b9bb32d1cc6: ndp: don't send unsolicited NA for multicast address.
zlei added a comment.Tue, Mar 17, 9:24 AM
In D55885#1278789, @pouria wrote:
In D55885#1278785, @pouria wrote:
In D55885#1278782, @zlei wrote:

The link-local check here is also redundant. You have already checked the scope of the address in nd6_grand_start(). So if the address is global one, it must not be a link-local one.

nd6_grand_start(struct ifaddr *ifa, uint32_t flags)
{
...
        /* Check if new address is global */
        if ((flags & ND6_QUEUE_FLAG_NEWGUA) != 0 &&
            in6_addrscope(IFA_IN6(ifa)) != IPV6_ADDR_SCOPE_GLOBAL)
                return;
...
}

You're right! what a brain glitch!
Thank you!

Oh no, I reacted too fast, this shows I don't trust my own memory :)
This check only applies for new address event, not link-layer address change.

Obviously I missed ND6_QUEUE_FLAG_NEWGUA ;)

Revision Contents
Changeset List

PathSize
sys/
netinet6/
3 lines

Diff 173796

View Options

sys/netinet6/nd6.c

Loading...