Le 2018-11-28 18:48, Stuart Henderson a écrit :
> On 2018-11-27, Arnaud BRAND <arnaud.brand--obsd@tib.cc> wrote:
>> Good evening everyone,
>>
>> I am stuck with a IPv6 traceroute problem in an OSPFv3 environment.
>>
>> Long story short :
>> - IPv6 routes are propagated using OSPFv3
>> - so they are installed with link-local gateways in the fib
>> - ICMPv6 "time exceeded" packets are generated with link-local source
>> address
>> - these packets are not to be routed so they do not get past the next
>> hop
>> - the endpoint never receives the "time exceeded packets"
>>
>> This of course is only true if the router generating the icmp packet
>> is
>> not the endpoint, but only a hop in the path.
>>
>> I checked the code (or at least tried to).
>> It seems like it's in function icmp6_reflect in file icmp6.c at lines
>> 1144/1147.
>>
>> This code (if I understood it correctly) :
>> - fetches the route to the destination
>> - gets the interface source address for this route
>> - uses it as the source for the generated IP packet
>>
>> As my routes are installed with link-local addresses by OSPFv3, I get
>> a
>> generated packet with a link local source-address.
>> The problem is when the destination is not on the local subnet : the
>> generated packet is unroutable and never makes it to its destination
>>
>> Would it be better to try to find another address on the interface
>> that
>> is not link local if the destination address isn't on the interface
>> subnets ?
>> Sadly, I can't provide a patch, sorry, I'm not that skilled in
>> OpenBSD.
>>
>> I thought of a pf trickery like :
>> pass out quick inet6 proto icmp6 from fe80::/10 to any icmp6-type
>> timex
>> nat-to lo1
>> but that won't work because the generated packet itself will be
>> matching
>> a state and this rule won't even be evaluated.
>>
>> Does anyone have an idea how I could get these icmp6 packets to reach
>> their destination ?
>>
>> Thanks for your help !
>> Arnaud
>>
>>
>
> Known problem, no known workaround. I tried hard to find a way to do
> this with PF but I don't think there is one.
>
> bluhm@ pointed out "pf with IPv6 link-local addresses does not
> work properly. I think it cannot parse the %if suffixes. The KAME hack
> scope id is not handled" in my previous thread on this
> (https://marc.info/?t=153875386500001&r=1&w=2).
Thanks Stuart !
God, I can't understand how I missed this one.
What are you guys using as a search engine to find theses messages ?
I was looking at adding a call to in6_ifawithscope() after line 1144 in
icmp6_reflect.
Sadly I had no time to do it/test it today.
Don't you reckon this would/could work ?
No comments:
Post a Comment