Re: IPv6/NDP/IPsec breakage in -current

On 06/12/16(Tue) 15:23, Alexander Bluhm wrote: > On Mon, Nov 21, 2016 at 03:15:39PM +0100, Martin Pieuchot wrote: > > naddy@ confirmed this diff fixes his tunnel mode setup, ok? > > IPv6 neighbor discovery over IPsec does not work reliably. It uses > link-local, global and multicast addresses

Re: IPv6/NDP/IPsec breakage in -current

On Mon, Nov 21, 2016 at 03:15:39PM +0100, Martin Pieuchot wrote: > naddy@ confirmed this diff fixes his tunnel mode setup, ok? IPv6 neighbor discovery over IPsec does not work reliably. It uses link-local, global and multicast addresses and depending on your flows and SA it either works or not.

Re: IPv6/NDP/IPsec breakage in -current

On 02/11/16(Wed) 10:19, Martin Pieuchot wrote: > On 25/10/16(Tue) 22:13, Markus Friedl wrote: > > > > > Am 25.10.2016 um 17:13 schrieb Mike Belopuhov : > > > > > > > > > There are apparently some discussions in infomational RFCs regarding > > > this issue. For instance

Re: IPv6/NDP/IPsec breakage in -current

On 25/10/16(Tue) 22:13, Markus Friedl wrote: > > > Am 25.10.2016 um 17:13 schrieb Mike Belopuhov : > > > > > > There are apparently some discussions in infomational RFCs regarding > > this issue. For instance https://tools.ietf.org/html/rfc3756 > >

Re: IPv6/NDP/IPsec breakage in -current

> Am 25.10.2016 um 17:13 schrieb Mike Belopuhov : > > > There are apparently some discussions in infomational RFCs regarding > this issue. For instance https://tools.ietf.org/html/rfc3756 > states: > > More specifically, the

Re: IPv6/NDP/IPsec breakage in -current

On Thu, Oct 13, 2016 at 21:43 +0200, Markus Friedl wrote: > > > Am 13.10.2016 um 13:06 schrieb Christian Weisgerber : > > > >> After the second m_makespace(): > >> > >>+--+-+ +--+ ++-+ > >>| IPv6 | ESP | | IPv6 | | ICMPv6 |

Re: IPv6/NDP/IPsec breakage in -current

Alexander Bluhm: > I also see issues with IPv6 and NDP, but no IPsec involved. There > are several other threads on bugs@ about broken IPv6. > > It seems that sending neighbor solicitation retries for expired ND > entries does not work. The diff below helps in my case, although > it is only a

Re: IPv6/NDP/IPsec breakage in -current

On Thu, Oct 06, 2016 at 11:12:18PM +0200, Christian Weisgerber wrote: > Something is very broken at the intersection of IPv6, NDP, and IPsec > in -current. I also see issues with IPv6 and NDP, but no IPsec involved. There are several other threads on bugs@ about broken IPv6. It seems that

Re: IPv6/NDP/IPsec breakage in -current

> Am 13.10.2016 um 13:06 schrieb Christian Weisgerber : > >> After the second m_makespace(): >> >>+--+-+ +--+ ++-+ >>| IPv6 | ESP | | IPv6 | | ICMPv6 | ESP | >>+--+-+ +--+ ++-+ >> >>

Re: IPv6/NDP/IPsec breakage in -current

On Wed, Oct 12, 2016 at 18:00 +0200, Christian Weisgerber wrote: > Mike Belopuhov: > > > It's also not clear what's wrong with those broken NS/ND > > packets that you receive. > > Oct 12 17:30:10 bardioc /bsd: nd6_na_input: ND packet from non-neighbor > Oct 12 17:30:12 bardioc last message

Re: IPv6/NDP/IPsec breakage in -current

Mike Belopuhov: > It's also not clear what's wrong with those broken NS/ND > packets that you receive. Oct 12 17:30:10 bardioc /bsd: nd6_na_input: ND packet from non-neighbor Oct 12 17:30:12 bardioc last message repeated 2 times Oct 12 17:30:15 bardioc /bsd: nd6_ns_input: NS packet from

Re: IPv6/NDP/IPsec breakage in -current

On Mon, Oct 10, 2016 at 21:13 +, Christian Weisgerber wrote: > On 2016-10-09, Christian Weisgerber wrote: > > > Found by bisection. The culprit is this commit: > > > > > > CVSROOT:/cvs > >

Re: IPv6/NDP/IPsec breakage in -current

On 2016-10-09, Christian Weisgerber wrote: > Found by bisection. The culprit is this commit: > > > CVSROOT:/cvs > Module name:src > Changes by: mar...@cvs.openbsd.org 2016/09/13

Re: IPv6/NDP/IPsec breakage in -current

On 2016-10-06, Christian Weisgerber wrote: > Something is very broken at the intersection of IPv6, NDP, and IPsec > in -current. Found by bisection. The culprit is this commit: CVSROOT:/cvs