New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Source address used by ndppd may not be a neighbor address #41

Open
vincentbernat opened this Issue May 22, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@vincentbernat
Copy link

vincentbernat commented May 22, 2018

Hello!

I am using ndppd on interfaces where I don't have anything else than a link-local address. Due to the scope rule, Linux won't use it when sending packets for a globally reachable address. It selects another address from another interface. The selected address is not in the same subnet as the target address. Some OS will refuse neighbor advertisements coming from a non-neighbor address. For example, in OpenBSD, I get:

nd6_na_input: ND packet from non-neighbor

RFC 4861 doesn't say much except the source address should be "an address assigned to the interface from which the advertisement is sent." We could use the link-local address, hoping some OS won't be too picky about that or use a fake address (that could be specified in the configuration file). In both cases, sendmsg() cannot be used, which would make the change rather extensive.

vincentbernat added a commit to vincentbernat/ndppd that referenced this issue Jul 25, 2018

Fake source IP address for advertisements
Some OS are picky with the source IP address used when receiving
neighbor advertisements. For example, OpenBSD will drop such an
advertisement if the source address is not part of its local subnet.

When sending a neighbor advertisement, spoof the source IPv6 address
to match the target address. This requires a recent kernel (4.15+)
since the socket needs the `IPV6_FREEBIND` option to be set. We cannot
use `IP_FREEBIND` because the socket is of type `SOCK_RAW`.

An alternative would be to use a dedicated `SOCK_DGRAM` socket for
sending UDP packets. Another option would be to make `setsockopt()`
non fatal and disable IP spoofing if we cannot set the option.

Fix DanielAdolfsson#41

@vincentbernat vincentbernat referenced a pull request that will close this issue Jul 25, 2018

Open

Fake source IP address for advertisements #43

vincentbernat added a commit to vincentbernat/ndppd that referenced this issue Jul 31, 2018

Fake source IP address for advertisements
Some OS are picky with the source IP address used when receiving
neighbor advertisements. For example, OpenBSD will drop such an
advertisement if the source address is not part of its local subnet.

When sending a neighbor advertisement, spoof the source IPv6 address
to match the target address. This requires a recent kernel (4.15+)
since the socket needs the `IPV6_FREEBIND` option to be set. We cannot
use `IP_FREEBIND` because the socket is of type `SOCK_RAW`.

An alternative would be to use a dedicated `SOCK_DGRAM` socket for
sending UDP packets. Another option would be to make `setsockopt()`
non fatal and disable IP spoofing if we cannot set the option.

Fix DanielAdolfsson#41

vincentbernat added a commit to vincentbernat/ndppd that referenced this issue Aug 1, 2018

Fake source IP address for advertisements
Some OS are picky with the source IP address used when receiving
neighbor advertisements. For example, OpenBSD will drop such an
advertisement if the source address is not part of its local subnet.

When sending a neighbor advertisement, spoof the source IPv6 address
to match the target address. This requires a recent kernel (4.15+)
since the socket needs the `IPV6_FREEBIND` option to be set. We cannot
use `IP_FREEBIND` because the socket is of type `SOCK_RAW`.

Fix DanielAdolfsson#41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment