Project

General

Profile

Actions
Copy link

Bug #16572

closed

IPv6 Link Local address does not respond to Neighbor Solicitation from non-LL addresses by default

Added by Jamie Cooper 4 days ago. Updated about 10 hours ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Interfaces
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.8.1
Affected Architecture:

Description

ISPs using Juniper Layer 2 liveness detection use ND packets sent to the link local address to check the host is live. By default, the pfSense box does not respond to this. After the timer expires on the ISP end (300 seconds), the Juniper device removes the mapping.
As per RFC4861, these should be responded to.

Workaround

Add the following system tuneable: net.inet6.icmp6.nd6_onlink_ns_rfc4861 as value 1.

Fix

By default, this tunable should be enabled. I don't see a reason why NDs should be ignored.

Actions
Copy link
 #1

Updated by Kris Phillips 3 days ago

  • Status changed from New to Confirmed

Not sure if there is a reason behind this being turned off by default, but I can confirm this tunable is disabled on 25.11-RELEASE.

Actions
Copy link
 #2

Updated by Matt Dombrowski 1 day ago

The 'default' ruleset on a CE 2.8.1-RELEASE system appears to pass inbound Neighbor Solicitation messages in accordance with RFC 6434, § 5.2 (i.e., "[ . . . ] all nodes MUST respond to unicast Neighbor Solicitation (NS) messages.) The relevant rules have ridentifiers 1000000107, 1000000110, and 1000000111 on the system I'm looking at. I can also see that this particular system is actually responding to inbound NS messages via a positive "State Creation" counter for ridentifier 1000000107.

The tunable net.inet6.icmp6.nd6_onlink_ns_rfc4861 on this same system is set to 0. A reason for the apparent default of 0 may be related to this (very old) Security Advisory: https://www.freebsd.org/security/advisories/FreeBSD-SA-08:10.nd6.asc.

Could you provide a trace showing this traffic so that the packets the Juniper devices are generating can be inspected? They might be utilizing a globally routable address as the source address, but destined for the pfSense WAN interface's link-local address—which the state-policy of the 'default' rules being set to if-bound may be interfering with.

Actions
Copy link
 #3

Updated by Jamie Cooper 1 day ago

Matt Dombrowski wrote in #note-2:

The 'default' ruleset on a CE 2.8.1-RELEASE system appears to pass inbound Neighbor Solicitation messages in accordance with RFC 6434, § 5.2 (i.e., "[ . . . ] all nodes MUST respond to unicast Neighbor Solicitation (NS) messages.) The relevant rules have ridentifiers 1000000107, 1000000110, and 1000000111 on the system I'm looking at. I can also see that this particular system is actually responding to inbound NS messages via a positive "State Creation" counter for ridentifier 1000000107.

The tunable net.inet6.icmp6.nd6_onlink_ns_rfc4861 on this same system is set to 0. A reason for the apparent default of 0 may be related to this (very old) Security Advisory: https://www.freebsd.org/security/advisories/FreeBSD-SA-08:10.nd6.asc.

Could you provide a trace showing this traffic so that the packets the Juniper devices are generating can be inspected? They might be utilizing a globally routable address as the source address, but destined for the pfSense WAN interface's link-local address—which the state-policy of the 'default' rules being set to if-bound may be interfering with.

Yes you are fully correct, the source address is a globally routable address and the destination is the link local address. I have a large PCAP that I can attach via Google Drive if that is allowed?
Let me know if there is any more info you need.

Actions
Copy link
 #4

Updated by Matt Dombrowski about 10 hours ago

For the record, I have no affiliation with Netgate, so this is all merely advice from a fellow CE user. But my guess would be that the tunable net.inet6.icmp6.nd6_onlink_ns_rfc4861 being set to 1 is, in fact, one possible 'official' workaround and fix for this specific use case.

You might also alternatively be able to—instead of modifying the tunable—pass this traffic by crafting a firewall rule on the WAN interface, strictly permitting only the Juniper device/s' NS messages sent from its/their known global unicast addresses to the WAN interface's link-local address explicitly (as opposed to fe80::/10), and setting the state-policy to floating. If this works, it'd be a much more visible and 'least-privileged' approach.

Actions
Copy link
 #5

Updated by Marcos M about 10 hours ago

  • Status changed from Confirmed to Rejected

The ISP should be using the LL address as the source for its NS messages. If the tunable default changes upstream and/or its shown to be secure, then it can be reconsidered.

Also see:
https://cgit.freebsd.org/src/tree/sys/netinet6/nd6_nbr.c#n196

According to recent IETF discussions, it is not a good idea to accept a NS from an address which would not be deemed to be a neighbor otherwise.

and:
https://redmine.pfsense.org/issues/16146

Actions
Copy link
 #6

Updated by Marcos M about 10 hours ago

  • Status changed from Rejected to Not a Bug
Actions
Copy link
 #7

Updated by Jim Pingle about 10 hours ago

  • Subject changed from IPv6 Link Local address on WAN interface does not respond to Neighbour Solicitation by default to IPv6 Link Local address does not respond to Neighbor Solicitation from non-LL addresses by default
Actions
Copy link

Also available in: Atom PDF