On Mon, 20 Aug 2001, Kurt Roeckx wrote:
> On Sat, Jul 07, 2001 at 10:04:19AM +0300, Pekka Savola wrote:
> > On Sat, 7 Jul 2001, Kurt Roeckx wrote:
> > > Jul 5 19:05:51 thunderbird kernel: ICMP NDISC: fake message with
> > > non-255 Hop Limit received: 249
> >
> > The specs require that all IPv6 neighbour discovery messages MUST be
> > originated in the same network. In your case, you're getting these
> > messages from over the Internet.
>
> It says that any node should silenty drop any with a hop
> different then 255. It seems Linux is the only that drops it,
> although not silently.
Dropping silently in RFC context means not sending any ICMP errors, or
anything like that about dropped packets. Logging is a policy issue.
In the long term, a lot of these messages can be moved to just counters,
but this way bugs in implementations (our own too :-) and erroneuous
setups are more easily detected.
> It suddenly got very bad. I already have 44K of those packets in
> the log.
>
> They look like this:
>
> 12:15:29.332636 3ffe:8100:100:a::71d > 3ffe:80c0:220::b: icmp6:
> neighbor sol: who has 3ffe:80c0:220::b (len 24, hlim 251)
>
> This box I'm on only has 1 tunnel, and it's a /128. The user
> from this packet is a tunnel broker user, which also has a /128.
> All hosts between me and that users cisco router are running
> FreeBSD, afaik.
It appears to me that the system on '3ffe:8100:100:a::71d' has a very
hosed setup/implementation, is parforming some tests or something.
> >From what I understand, all hosts in between should have dropped
> that packet for 2 reasons:
>
> - The hop != 255
Yes.
> - It's not a multicast address. It should have send a packet
> to ff02::1:0:b
Not necessarily. Address resolving, for example uses multicast (most
common scenario), but e.g. neighbor unreachability detection (NUD) uses
unicast.
Still, NUD should only be perfomed with your physical neighbors, not
across the Internet.
See RFC2462 7.1.1 and 4.3.
> I tried to contact the end users, but none of them replied yet.
> Do you have any question you would like me to ask them?
- which implementation they are using (appears to be clearly wrong; tried
updating?)
- which implementation their ipv6 router is using
- are they just testing something (intentional bad packets) or not
- traceroute to your address
- what's their network setup
(It could be that if for some odd reason the implementation thought all
addresses were on-link, as it MUST be the case if there are no IPv6
routers present, and the packets would still, using some mechanism, be
relayed to the internet).
HTH.
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
|