Bug #16572: IPv6 Link Local address does not respond to Neighbor Solicitation from non-LL addresses by default - pfSense - pfSense bugtracker

Custom queries

2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - Resolved/Closed
2.8.1 - Resolved/Closed
2.9.0 - All Open Bugs
2.9.0 - All Open Features
2.9.0 - All Open Issues
2.9.0 - All Open Regressions
2.9.0 - Feedback
2.9.0 - Needs Attention
2.9.0 - New/Confirmed
2.9.0 - Pull Requests
2.9.0 - Regressions affecting 2.9.0
2.9.0 - Resolved/Closed
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Target - All Closed Issues
25.07 Plus - All Closed Issues
25.07 Target - All Closed Issues
25.11 Plus - All Closed Issues
25.11 Plus - All Open Issues
25.11 Plus - Feedback Issues
25.11 Plus - Needs Attention/Work
25.11 Plus - New/Confirmed/In Progress Issues
25.11 Plus - Pull Request Review
25.11 Plus - Waiting on Merge
25.11 Target - All Closed Issues
25.11 Target - All Open Issues
26.03 Target - All Closed Issues
26.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - CE Target Version (DO NOT EDIT)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #16572

closed

IPv6 Link Local address does not respond to Neighbor Solicitation from non-LL addresses by default

Added by Jamie Cooper 5 days ago. Updated 2 days ago.

Status:

Not a Bug

Priority:

Normal

Assignee:

Category:

Interfaces

Target version:

Start date:

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Default

Affected Version:

2.8.1

Affected Architecture:

Description

ISPs using Juniper Layer 2 liveness detection use ND packets sent to the link local address to check the host is live. By default, the pfSense box does not respond to this. After the timer expires on the ISP end (300 seconds), the Juniper device removes the mapping.
As per RFC4861, these should be responded to.

Workaround¶

Add the following system tuneable: net.inet6.icmp6.nd6_onlink_ns_rfc4861 as value 1.

Fix¶

By default, this tunable should be enabled. I don't see a reason why NDs should be ignored.

History
Notes
Property changes

Actions

Copy link

Updated by Kris Phillips 4 days ago

Status changed from New to Confirmed

Not sure if there is a reason behind this being turned off by default, but I can confirm this tunable is disabled on 25.11-RELEASE.

Actions

Copy link

Updated by Matt Dombrowski 3 days ago

The 'default' ruleset on a CE 2.8.1-RELEASE system appears to pass inbound Neighbor Solicitation messages in accordance with RFC 6434, § 5.2 (i.e., "[ . . . ] all nodes MUST respond to unicast Neighbor Solicitation (NS) messages.) The relevant rules have ridentifiers 1000000107, 1000000110, and 1000000111 on the system I'm looking at. I can also see that this particular system is actually responding to inbound NS messages via a positive "State Creation" counter for ridentifier 1000000107.

The tunable net.inet6.icmp6.nd6_onlink_ns_rfc4861 on this same system is set to 0. A reason for the apparent default of 0 may be related to this (very old) Security Advisory: https://www.freebsd.org/security/advisories/FreeBSD-SA-08:10.nd6.asc.

Could you provide a trace showing this traffic so that the packets the Juniper devices are generating can be inspected? They might be utilizing a globally routable address as the source address, but destined for the pfSense WAN interface's link-local address—which the state-policy of the 'default' rules being set to if-bound may be interfering with.

Actions

Copy link

Updated by Jamie Cooper 3 days ago

Matt Dombrowski wrote in #note-2:

The 'default' ruleset on a CE 2.8.1-RELEASE system appears to pass inbound Neighbor Solicitation messages in accordance with RFC 6434, § 5.2 (i.e., "[ . . . ] all nodes MUST respond to unicast Neighbor Solicitation (NS) messages.) The relevant rules have ridentifiers 1000000107, 1000000110, and 1000000111 on the system I'm looking at. I can also see that this particular system is actually responding to inbound NS messages via a positive "State Creation" counter for ridentifier 1000000107.

The tunable net.inet6.icmp6.nd6_onlink_ns_rfc4861 on this same system is set to 0. A reason for the apparent default of 0 may be related to this (very old) Security Advisory: https://www.freebsd.org/security/advisories/FreeBSD-SA-08:10.nd6.asc.

Could you provide a trace showing this traffic so that the packets the Juniper devices are generating can be inspected? They might be utilizing a globally routable address as the source address, but destined for the pfSense WAN interface's link-local address—which the state-policy of the 'default' rules being set to if-bound may be interfering with.

Yes you are fully correct, the source address is a globally routable address and the destination is the link local address. I have a large PCAP that I can attach via Google Drive if that is allowed?
Let me know if there is any more info you need.

Actions

Copy link

Updated by Matt Dombrowski 2 days ago

For the record, I have no affiliation with Netgate, so this is all merely advice from a fellow CE user. But my guess would be that the tunable net.inet6.icmp6.nd6_onlink_ns_rfc4861 being set to 1 is, in fact, one possible 'official' workaround and fix for this specific use case.

You might also alternatively be able to—instead of modifying the tunable—pass this traffic by crafting a firewall rule on the WAN interface, strictly permitting only the Juniper device/s' NS messages sent from its/their known global unicast addresses to the WAN interface's link-local address explicitly (as opposed to fe80::/10), and setting the state-policy to floating. If this works, it'd be a much more visible and 'least-privileged' approach.

Actions

Copy link

Updated by Marcos M 2 days ago

Status changed from Confirmed to Rejected

The ISP should be using the LL address as the source for its NS messages. If the tunable default changes upstream and/or its shown to be secure, then it can be reconsidered.

Also see:
https://cgit.freebsd.org/src/tree/sys/netinet6/nd6_nbr.c#n196

According to recent IETF discussions, it is not a good idea to accept a NS from an address which would not be deemed to be a neighbor otherwise.

and:
https://redmine.pfsense.org/issues/16146

Actions

Copy link

Updated by Marcos M 2 days ago

Status changed from Rejected to Not a Bug

Actions

Copy link

Updated by Jim Pingle 2 days ago

Subject changed from IPv6 Link Local address on WAN interface does not respond to Neighbour Solicitation by default to IPv6 Link Local address does not respond to Neighbor Solicitation from non-LL addresses by default

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #16572

IPv6 Link Local address does not respond to Neighbor Solicitation from non-LL addresses by default

Workaround¶

Fix¶

Updated by Kris Phillips 4 days ago

Updated by Matt Dombrowski 3 days ago

Updated by Jamie Cooper 3 days ago

Updated by Matt Dombrowski 2 days ago

Updated by Marcos M 2 days ago

Updated by Marcos M 2 days ago

Updated by Jim Pingle 2 days ago