networkd RetransmitSec - how to make it work on a host?

The RetransmitSec option was introduced in systemd-v255, but I cannot get it to work for Neighbor Solicitations from a Host. Instead, I observe that the NS are always transmitted at 1 second intervals, regardless of whether it was changed by:

Received RA Retransmit Timer
Sysctl net.ipv6.icmp.ratelimit
Systemd.network configuration file RetransmitSec

A few questions:

Can you point me at the networkd code that generates the neighbor solicitations?
My router sends an RA with a Retransmit Timer = 5000ms:

What is supposed to take precedence, the RA or the value in the config file?
With debug enabled, I see networkd writes to /proc/sys/net/ipv6/icmp/ratelimit

i. However, that makes no difference to the retransmit rate, which is always 1 second.

Why is this option not enabled under [Network], but instead under [IPv6SendRA]. Hosts send NS that should also be ratelimited.

$ systemctl --version

systemd 255 (255-1-g6a9a58c^)

+PAM -AUDIT -SELINUX -APPARMOR -IMA -SMACK -SECCOMP -GCRYPT -GNUTLS -OPENSSL -ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP +LIBFDISK -PCRE2 -PWQUALITY -P11KIT -QRENCODE -TPM2 -BZIP2 -LZ4 +XZ -ZLIB -ZSTD -BPF_FRAMEWORK -XKBCOMMON -UTMP +SYSVINIT default-hierarchy=hybrid

I’ve tried several configuration changes, but nothing worked. E.g. I tried to configure the Retransmit interval to 3 seconds. After each configuration change, I ran:

$ systemctl daemon-reload; systemctl restart systemd-networkd

One of my attempts:

$ networkctl cat 10-eno0.network

# /etc/systemd/network/10-eno0.network

[Match]

KernelCommandLine=!nfsroot

Name=eno0

[DHCP]

ClientIdentifier=mac

RouteMetric=10

UseDomains=yes

UseHostname=yes

UseMTU=yes

[IPv6AcceptRA]

#UseOnLinkPrefix=yes

UseDNS=yes

UseDomains=yes

[Link]

RequiredForOnline=no

[Network]

#Address=16.107.234.71/21

#DHCP=ipv6

#DNS=1.2.3.6

#Gateway=16.107.232.1

Address=10.1.1.1/24

DHCP=no

Gateway=10.1.1.2

IPv6AcceptRA=yes

IPv6SendRA=yes

[IPv6SendRA]

RetransmitSec=3

And here is the tcpdump output:

$ tcpdump -i eno0 -n --number ip6 -vv

tcpdump: listening on eno0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

1 02:23:50.607129 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::200:10ff:fe10:1060 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 56

hop limit 64, Flags [none], pref medium, router lifetime 9000s, reachable time 30000ms, retrans timer 5000ms

prefix info option (3), length 32 (4): 2001:2:0:1000::/64, Flags [onlink, auto], valid time 65535s, pref. time 65535s

0x0000: 40c0 0000 ffff 0000 ffff 0000 0000 2001

0x0010: 0002 0000 1000 0000 0000 0000 0000

mtu option (5), length 8 (1): 1500

0x0000: 0000 0000 05dc

8< -- snip unrelated multicast packets ---- >8

4 02:24:00.932029 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 10) fe80::200:10ff:fe10:1081 > fe80::9640:c9ff:fed6:77f6: [icmp6 sum ok] ICMP6, echo request, id 0, seq 0

5 02:24:00.932412 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::9640:c9ff:fed6:77f6 > ff02::1:ff10:1081: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::200:10ff:fe10:1081

source link-address option (1), length 8 (1): 94:40:c9:d6:77:f6

0x0000: 9440 c9d6 77f6

6 02:24:01.934639 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::9640:c9ff:fed6:77f6 > ff02::1:ff10:1081: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::200:10ff:fe10:1081

source link-address option (1), length 8 (1): 94:40:c9:d6:77:f6

0x0000: 9440 c9d6 77f6

7 02:24:02.958599 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::9640:c9ff:fed6:77f6 > ff02::1:ff10:1081: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::200:10ff:fe10:1081

source link-address option (1), length 8 (1): 94:40:c9:d6:77:f6

0x0000: 9440 c9d6 77f6

$ sysctl net.ipv6.icmp.ratelimit

net.ipv6.icmp.ratelimit = 5000

Thanks,

Matt.