On 2016-10-06, Christian Weisgerber <[email protected]> wrote:
> Something is very broken at the intersection of IPv6, NDP, and IPsec
> in -current.
>
> Two hosts in the same LAN; all static addresses; yes I use iked -6.
> Here are the respective, trivial iked.conf files:
Actually, it is easier to examine this if you use manual flows and
SAs.
(When I started looking at this, I originally thought changes in
iked were to blame. It has become clear that iked doesn't have
anything to do with the problem, and the IKE negotiation and the
neighbor discovery traffic triggered by it only muddy the waters.)
I have compared the neighbor discovery exchanges of -current with
those of 6.0-stable. Let's call the hosts AAA and BBB. There are
two patterns:
(1)
global-AAA > ff02::xxxx: icmp6: neighbor sol: who has global-BBB
global-BBB > global-AAA: icmp6: neighbor adv: tgt is global-BBB
(2)
lladdr-AAA > ff02::xxxx: icmp6: neighbor sol: who has global-BBB
lladdr-BBB > lladdr-AAA: icmp6: neighbor adv: tgt is global-BBB
In (1), the global addresses are used as the source addresses.
In (2), the link-local addresses are used as the source addresses.
And here's the overview which neighbor discovery exchange is used
by 6.0-stable and -current, respectively, with and without IPsec
flows:
| no flows | flows
| | established
------------+--------------+-------------
6.0-stable | (1) global | (2) local
------------+--------------+-------------
-current | (2) local | (1) global
------------+--------------+-------------
Somehow the behavior got flipped in -current.
--
Christian "naddy" Weisgerber [email protected]
