Hi, while trying to fix the proxy ND behavior on Linux some time ago, I and Pekka Savola briefly talked about some issues with the proxy ND specs in RFC 2461.
The current specs are a bit vague or even inconsistent on some topics: 1) Should the proxy answer to NUD probes or not? The MIPv6 specification section 10.4.1 requires the Home Agent replies to any NS messages sent to a home address it is protecting, but is this MIPv6 specific behavior or should it be general IPv6 proxy ND behavior? RFC 2461 section 7.2.8 requires that the proxy MUST join the solicited-node multicast address corresponding the proxied IP address. This ensures that the proxy receives all multicast NS messages sent to the proxied address, but it is not enough for capturing the unicast NS messages used for NUD. Sections 7.2.3 and 7.2.4 only talk about the target (not the destination) address of NS messages, so they don't offer any clues to how the proxy should handle unicasted NS messages. Handling NUD probes probably requires additional filtering of unicast traffic going thru the router, which is bad. On the other hand ignoring the messages breaks NUD and might cause other unwanted results. If for example the proxy has a route to the node it is proxying, it might forward the NUD probe to it (just like all other unicast traffic). 2) Why isn't all ND traffic handled by the proxy? If NS messages are intercepted by the proxy on behalf of the proxied node, why aren't the other ND message types (at least NA, but perhaps also RS and RA)? Again, we probably don't want the messages to be forwarded outside the link by the proxying router. I guess discarding them (either silently or not) would be better. 3) How should (non ND) traffic to a proxied link-local address be treated? RFC 2461 doesn't say anything about this, but the MIPv6 specification section 10.4.2 requires the Home Agent MUST discard a packet addressed to the Mobile Node's link-local address and SHOULD return an ICMP Destination Unreachable, Code 3, message to the sender. Discarding link-local ND messages will bread ND for these addresses, but since link-local traffic is not routed outside the link it seems like a reasonable response to all other traffic by *any* proxying IPv6 router, not just a MIPv6 HA. Some of these things might be self evident to most RFC 2461 proxy ND implementors, but it would be nice to have them listed explicitly so there isn't any room for "interesting" interpretations. Regards, Ville Nuorvala -- Ville Nuorvala Research Assistant, Institute of Digital Communications, Helsinki University of Technology email: [EMAIL PROTECTED], phone: +358 (0)9 451 5257 -------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
