Re: bridge is not forwaring ICMP6 neighbor solicitation to KVM guest

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Jan,

On Mon, Mar 03, 2014 at 05:45:49PM -0500, Jan Stancek wrote:
> There is also bridge on host B. I assume that doesn't matter
> but I could set up host B without bridge if needed.

It can matter, but in this case it doesn't :).

> > What I'm curious about is, whether the guest receives
> > the MLD query and responds with an MLD report. I suspect that
> > either the bridge doesn't get an MLD report and therefore is
> > shutting down the according port or there's a bug in parsing the
> > MLD report in the bridge code.
> 
> I'm no expert in this area, but shouldn't neigh. solicit packets
> be forwarded to all ports regardless of any/no MLD reports?

That's the beauty of IPv6 Neighbor Discovery using these neat
solicited-node multicast addresses :). With IPv4 and ARP
requests there's no other way than flooding. But for IPv6 we know
in advance behind which bridge port someone interested in the
neighbor solicitation message might be (assuming MLD is working,
properly), allowing us to save bandwidth.

In this case, MLD is not working properly, the main issue is the
following:

Host B sends broken MLD queries, the source address should be an
IPv6 link-local one, not "100:0:600:0:78fb:100::". MLDv2 mandates
this (see RFC3810, section 5.1.14.: "Source Addresses for
Queries").

Though I couldn't find that requirement for MLDv1, Linux ignores
MLDv1 queries with a non-link-local source address, too (see
net/ipv6/mcast.c, igmp6_event_query() ). So Linux never sends an
MLD report in reply to these broken queries.


The second "minor" but in this case fatal issue is, that the
bridge code doesn't have this link-local-src check, therefore
kicking the snooping into gear even though it shouldn't because we
don't have a _working_ querier.

I'm going to make a patch for the bridge code adding this sanity
check.


For the broken query, ok, it's your manually crafted query. But
did you see a query with such a bogus source address "in the
wild", too? (I'm curious how urgent this sanity check is)

Cheers, Linus

Attachment: signature.asc
Description: Digital signature


[Index of Archives]     [Linux Kernel Discussion]     [TCP Instrumentation]     [Ethernet Bridging]     [Linux Wireless Networking]     [Linux WPAN Networking]     [Linux Host AP]     [Linux WPAN Networking]     [Linux Bluetooth Networking]     [Linux ATH6KL Networking]     [Linux Networking Users]     [Linux Coverity]     [VLAN]     [Git]     [IETF Annouce]     [Linux Assembly]     [Security]     [Bugtraq]     [Yosemite Information]     [MIPS Linux]     [ARM Linux Kernel]     [ARM Linux]     [Linux Virtualization]     [Linux IDE]     [Linux RAID]     [Linux SCSI]