----- Original Message ----- > From: "Linus Lüssing" <linus.luessing@xxxxxx> > To: "Jan Stancek" <jstancek@xxxxxxxxxx> > Cc: netdev@xxxxxxxxxxxxxxx, "Florian Westphal" <fwestpha@xxxxxxxxxx>, bridge@xxxxxxxxxxxxxxxxxxxxxxxxxx > Sent: Tuesday, 4 March, 2014 1:00:41 AM > Subject: Re: bridge is not forwaring ICMP6 neighbor solicitation to KVM guest > > Hi Jan, > > On Mon, Mar 03, 2014 at 05:45:49PM -0500, Jan Stancek wrote: > > There is also bridge on host B. I assume that doesn't matter > > but I could set up host B without bridge if needed. > > It can matter, but in this case it doesn't :). > > > > What I'm curious about is, whether the guest receives > > > the MLD query and responds with an MLD report. I suspect that > > > either the bridge doesn't get an MLD report and therefore is > > > shutting down the according port or there's a bug in parsing the > > > MLD report in the bridge code. > > > > I'm no expert in this area, but shouldn't neigh. solicit packets > > be forwarded to all ports regardless of any/no MLD reports? > > That's the beauty of IPv6 Neighbor Discovery using these neat > solicited-node multicast addresses :). With IPv4 and ARP > requests there's no other way than flooding. But for IPv6 we know > in advance behind which bridge port someone interested in the > neighbor solicitation message might be (assuming MLD is working, > properly), allowing us to save bandwidth. > > In this case, MLD is not working properly, the main issue is the > following: > > Host B sends broken MLD queries, the source address should be an > IPv6 link-local one, not "100:0:600:0:78fb:100::". MLDv2 mandates > this (see RFC3810, section 5.1.14.: "Source Addresses for > Queries"). > > Though I couldn't find that requirement for MLDv1, Linux ignores > MLDv1 queries with a non-link-local source address, too (see > net/ipv6/mcast.c, igmp6_event_query() ). So Linux never sends an > MLD report in reply to these broken queries. > > > The second "minor" but in this case fatal issue is, that the > bridge code doesn't have this link-local-src check, therefore > kicking the snooping into gear even though it shouldn't because we > don't have a _working_ querier. > > I'm going to make a patch for the bridge code adding this sanity > check. > > > For the broken query, ok, it's your manually crafted query. But > did you see a query with such a bogus source address "in the > wild", too? (I'm curious how urgent this sanity check is) It's real packet I managed to capture during one such occurrence. I'm sending it with small C program over raw socket, but it's byte by byte exact copy of what I captured with tcpdump previously. I'm not sure how that packet came to existence. Based on IPv6 address it came from host B, but all host B was doing at the time was running RHEL6 with couple qemu-kvm instances. KVM guests were set up to use bridge, so I'm assuming if any of them crafted this packet, source IPv6 address would be different. Regards, Jan > > Cheers, Linus >
