carp ipv6 ndp issue

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

carp ipv6 ndp issue

Florian Fuessl
Feature or bug?

 

Latest snapshot /bsd kernel (03. Aug. 11) does not react to neighbor
discovery requests for inet6 address on carp master interface, here.

 

-Florian

Reply | Threaded
Open this post in threaded view
|

Re: carp ipv6 ndp issue

Todd T. Fries-2
Are you using global IPv6 addresses for your test or link-local addresses
for your test?

I have found that you sometimes need to ping6 the link-local address
on a carp interface from a workstation before it will respond to ndp.

For reference, this scenario happens if you run rtadvd against a carp
interface for fail-over routers to advertise the carp address for routing.

Thanks,

Penned by Florian Fuessl on 20110805  7:00.21, we have:
| Feature or bug?
|
|  
|
| Latest snapshot /bsd kernel (03. Aug. 11) does not react to neighbor
| discovery requests for inet6 address on carp master interface, here.
|
|  
|
| -Florian

--
Todd Fries .. [hidden email]

 _____________________________________________
|                                             \  1.636.410.0632 (voice)
| Free Daemon Consulting, LLC                 \  1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com             \  1.866.792.3418 (FAX)
| 2525 NW Expy #525, Oklahoma City, OK 73112  \  sip:[hidden email]
| "..in support of free software solutions."  \  sip:[hidden email]
 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
                                                 
              37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
                        http://todd.fries.net/pgp.txt

Reply | Threaded
Open this post in threaded view
|

Re: carp ipv6 ndp issue

Alexander Bluhm
In reply to this post by Florian Fuessl
On Fri, Aug 05, 2011 at 02:00:21PM +0200, Florian Fuessl wrote:
> Feature or bug?

Sounds like a bug, but I cannot reproduce it.

> Latest snapshot /bsd kernel (03. Aug. 11) does not react to neighbor
> discovery requests for inet6 address on carp master interface, here.

With this kernel
    kern.version=OpenBSD 5.0 (GENERIC) #30: Wed Aug  3 16:08:44 MDT 2011
        [hidden email]:/usr/src/sys/arch/i386/compile/GENERIC
and this carp device
    carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
            lladdr 00:00:5e:00:01:01
            priority: 0
            carp: MASTER carpdev ne3 vhid 1 advbase 1 advskew 0
            groups: carp
            status: master
            inet6 fdd7:e83e:66bc:7:200:5eff:fe00:101 prefixlen 64
            inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x5
ndp and ping6 fdd7:e83e:66bc:7:200:5eff:fe00:101 works for me.

To figure out what is going on I need more information:
- Is this a regression?  Did it work before?
- Please set sysctl net.inet6.icmp6.nd6_debug=1 and look for errors in dmesg.
- What icmp6 packets do you see with tcpdump?
- How is your configuration and setup?

bluhm

Reply | Threaded
Open this post in threaded view
|

Re: carp ipv6 ndp issue

Alexander Bluhm
On Fri, Aug 05, 2011 at 11:50:41PM +0200, Alexander Bluhm wrote:
> On Fri, Aug 05, 2011 at 02:00:21PM +0200, Florian Fuessl wrote:
> > Feature or bug?
>
> Sounds like a bug, but I cannot reproduce it.

To trigger the bug, you need two adresses in the same network on
the carp and on the parent interface.  One of them has the route,
the other cannot do ndp.

Does this diff help?

I still see some nd6_lookup errors but after a short time ndp works.
Perhaps that is the problem Todd mentioned.

bluhm


Index: netinet6/in6.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/in6.c,v
retrieving revision 1.91
diff -u -p -r1.91 in6.c
--- netinet6/in6.c 26 Jul 2011 21:19:51 -0000 1.91
+++ netinet6/in6.c 5 Aug 2011 22:19:48 -0000
@@ -1945,7 +1945,10 @@ in6_ifpprefix(const struct ifnet *ifp, c
  if (rt == NULL)
  return (0);
  if ((rt->rt_flags & (RTF_CLONING | RTF_CLONED)) == 0 ||
-    rt->rt_ifp != ifp) {
+    (rt->rt_ifp != ifp &&
+    (ifp->if_type != IFT_CARP || rt->rt_ifp != ifp->if_carpdev) &&
+    (rt->rt_ifp->if_type != IFT_CARP || rt->rt_ifp->if_carpdev != ifp)
+    )) {
  RTFREE(rt);
  return (0);
  }

Reply | Threaded
Open this post in threaded view
|

Re: carp ipv6 ndp issue

Alexander Bluhm
On Sat, Aug 06, 2011 at 12:47:27AM +0200, Alexander Bluhm wrote:
> To trigger the bug, you need two adresses in the same network on
> the carp and on the parent interface.  One of them has the route,
> the other cannot do ndp.

The bridge has the same problem there, bridge and carp can be fixed
in the same way.

In my experience ipv6 bridge has always been broken and has more
issues.  Do we want this larger diff in release mode?

bluhm


Index: netinet6/in6.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/in6.c,v
retrieving revision 1.91
diff -u -p -r1.91 in6.c
--- netinet6/in6.c 26 Jul 2011 21:19:51 -0000 1.91
+++ netinet6/in6.c 6 Aug 2011 05:04:18 -0000
@@ -61,6 +61,9 @@
  * @(#)in.c 8.2 (Berkeley) 11/15/93
  */
 
+#include "bridge.h"
+#include "carp.h"
+
 #include <sys/param.h>
 #include <sys/ioctl.h>
 #include <sys/errno.h>
@@ -1945,7 +1948,16 @@ in6_ifpprefix(const struct ifnet *ifp, c
  if (rt == NULL)
  return (0);
  if ((rt->rt_flags & (RTF_CLONING | RTF_CLONED)) == 0 ||
-    rt->rt_ifp != ifp) {
+    (rt->rt_ifp != ifp &&
+#if NBRIDGE > 0
+    (rt->rt_ifp->if_bridge == NULL || ifp->if_bridge == NULL ||
+    rt->rt_ifp->if_bridge != ifp->if_bridge) &&
+#endif
+#if NCARP > 0
+    (ifp->if_type != IFT_CARP || rt->rt_ifp != ifp->if_carpdev) &&
+    (rt->rt_ifp->if_type != IFT_CARP || rt->rt_ifp->if_carpdev != ifp)&&
+#endif
+    1)) {
  RTFREE(rt);
  return (0);
  }

Reply | Threaded
Open this post in threaded view
|

Re: carp ipv6 ndp issue

Florian Fuessl
In reply to this post by Todd T. Fries-2
Todd T. Fries <[hidden email]> wrote Fri, Aug. 05, 2011 6:06 PM
>
> Are you using global IPv6 addresses for your test or link-local
> addresses for your test?

I'm using global IPv6 addresses.

i.e.
host side ping6:
...@melon:~$ ping6 2a00:1230::feed:cafe
PING 2a00:1230::feed:cafe(2a00:1230::feed:cafe) 56 data bytes
From 2a00:1230::5049:6023 icmp_seq=1 Destination unreachable: Address
unreachable
From 2a00:1230::5049:6023 icmp_seq=2 Destination unreachable: Address
unreachable
From 2a00:1230::5049:6023 icmp_seq=3 Destination unreachable: Address
unreachable

carp router master ifconfig:
carp100: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:5e:00:01:0a
        priority: 0
        carp: MASTER carpdev vlan100 vhid 10 advbase 1 advskew 0
        groups: carp
        status: master
        inet6 fe80::200:5eff:fe00:10a%carp100 prefixlen 64 scopeid 0x1d
        inet [...]
        inet6 2a00:1230::feed:cafe prefixlen 64
vlan100: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:19:bb:e9:ae:b9
        priority: 0
        vlan: 100 priority: 0 parent interface: em1
        groups: vlan
        status: active
        inet6 fe80::219:bbff:fee9:aeb9%vlan100 prefixlen 64 scopeid 0x9
        inet [...]
        inet6 2a00:1230::feed:abba prefixlen 64

carp router backup ifconfig:
carp100: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:5e:00:01:0a
        priority: 0
        carp: BACKUP carpdev vlan100 vhid 10 advbase 1 advskew 128
        groups: carp
        status: backup
        inet6 fe80::200:5eff:fe00:10a%carp100 prefixlen 64 scopeid 0x1d
        inet [...]
        inet6 2a00:1230::feed:cafe prefixlen 64
vlan100: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:04:23:d6:cc:41
        priority: 0
        vlan: 100 priority: 0 parent interface: em1
        groups: vlan
        status: active
        inet6 fe80::204:23ff:fed6:cc41%vlan100 prefixlen 64 scopeid 0x9
        inet [...]
        inet6 2a00:1230::feed:baba prefixlen 64

carp master "tcpdump -i vlan100 -n ip6":
tcpdump: listening on vlan100, link-type EN10MB
01:29:12.608013 2a00:1230::5049:6023 > ff02::1:ffed:cafe: icmp6: neighbor
sol: who has 2a00:1230::feed:cafe
01:29:13.230592 fe80::219:bbff:fee9:aeb9 > ff02::12: CARPv2-advertise 36:
vhid=10 advbase=1 advskew=0 demote=0
01:29:13.607932 2a00:1230::5049:6023 > ff02::1:ffed:cafe: icmp6: neighbor
sol: who has 2a00:1230::feed:cafe
01:29:14.241597 fe80::219:bbff:fee9:aeb9 > ff02::12: CARPv2-advertise 36:
vhid=10 advbase=1 advskew=0 demote=0
01:29:14.607946 2a00:1230::5049:6023 > ff02::1:ffed:cafe: icmp6: neighbor
sol: who has 2a00:1230::feed:cafi

sysctl net.inet6.icmp6.nd6_debug=1 and dmesg output on carp master:
nd6_ns_input: NS packet from non-neighbor
nd6_ns_input: src=2a00:1230::5049:6023
nd6_ns_input: dst=ff02:001d::0001:ffed:cafe
nd6_ns_input: tgt=2a00:1230::feed:cafe
nd6_ns_input: NS packet from non-neighbor
nd6_ns_input: src=2001:067c:2088::c1c0:0e0d
nd6_ns_input: dst=ff02:001e::0001:ffed:cafe
nd6_ns_input: tgt=2001:067c:2088::feed:cafe
nd6_ns_input: NS packet from non-neighbor
nd6_ns_input: src=2a00:1230::5049:6060
nd6_ns_input: dst=ff02:001d::0001:ffed:cafe
nd6_ns_input: tgt=2a00:1230::feed:cafe
[...]

> I have found that you sometimes need to ping6 the link-local address
> on a carp interface from a workstation before it will respond to ndp.

Thank's for this hint:
ping6 to link-local address works fine. But afterwards still no response on
carp inet6 address.

> For reference, this scenario happens if you run rtadvd against a carp
> interface for fail-over routers to advertise the carp address for
> routing.

At the moment I've set up static ipv6 address and routing for a few less
important services only. Rtadvd follows as the next step if the basics run
fine.

> Thanks,

feedback on patches of Alexander follows...

> Penned by Florian Fuessl on 20110805  7:00.21, we have:
> | Feature or bug?
> |
> | Latest snapshot /bsd kernel (03. Aug. 11) does not react to neighbor
> | discovery requests for inet6 address on carp master interface, here.

Reply | Threaded
Open this post in threaded view
|

Re: carp ipv6 ndp issue

Florian Fuessl
In reply to this post by Alexander Bluhm
Alexander Bluhm <[hidden email]> wrote Sat., Aug. 06, 2011
> On Sat, Aug 06, 2011 at 12:47:27AM +0200, Alexander Bluhm wrote:
> > To trigger the bug, you need two adresses in the same network on
> > the carp and on the parent interface.  One of them has the route,
> > the other cannot do ndp.
>
> The bridge has the same problem there, bridge and carp can be fixed
> in the same way.

Thank you. This patch works like a charm! :-)

> In my experience ipv6 bridge has always been broken and has more
> issues.  Do we want this larger diff in release mode?

Sounds reasonable to me.

> bluhm

-Florian

> Index: netinet6/in6.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/in6.c,v
> retrieving revision 1.91
> diff -u -p -r1.91 in6.c
> --- netinet6/in6.c 26 Jul 2011 21:19:51 -0000 1.91
> +++ netinet6/in6.c 6 Aug 2011 05:04:18 -0000
> @@ -61,6 +61,9 @@
>   * @(#)in.c 8.2 (Berkeley) 11/15/93
>   */
>
> +#include "bridge.h"
> +#include "carp.h"
> +
>  #include <sys/param.h>
>  #include <sys/ioctl.h>
>  #include <sys/errno.h>
> @@ -1945,7 +1948,16 @@ in6_ifpprefix(const struct ifnet *ifp, c
>   if (rt == NULL)
>   return (0);
>   if ((rt->rt_flags & (RTF_CLONING | RTF_CLONED)) == 0 ||
> -    rt->rt_ifp != ifp) {
> +    (rt->rt_ifp != ifp &&
> +#if NBRIDGE > 0
> +    (rt->rt_ifp->if_bridge == NULL || ifp->if_bridge == NULL ||
> +    rt->rt_ifp->if_bridge != ifp->if_bridge) &&
> +#endif
> +#if NCARP > 0
> +    (ifp->if_type != IFT_CARP || rt->rt_ifp != ifp->if_carpdev)
> &&
> +    (rt->rt_ifp->if_type != IFT_CARP || rt->rt_ifp->if_carpdev !=
> ifp)&&
> +#endif
> +    1)) {
>   RTFREE(rt);
>   return (0);
>   }

Reply | Threaded
Open this post in threaded view
|

Re: carp ipv6 ndp issue

Alexander Bluhm
On Sun, Aug 07, 2011 at 04:02:32AM +0200, Florian Fuessl wrote:
> Alexander Bluhm <[hidden email]> wrote Sat., Aug. 06, 2011
> > On Sat, Aug 06, 2011 at 12:47:27AM +0200, Alexander Bluhm wrote:
> > > To trigger the bug, you need two adresses in the same network on
> > > the carp and on the parent interface.  One of them has the route,
> > > the other cannot do ndp.
>
> Thank you. This patch works like a charm! :-)

By thinking about it, I found another bug with carp and neighbor
discovery.  When you have two carp interfaces on one physical
interface and the same prefix on both carp interfaces but not on
the physical, neighbor discovery will fail for one fo the carp
interfaces.

I don't know wether this is a common use case.

It is easy to fix.  When comparing two carp interfaces, assume they
have same prefixes if they have the same parent.

ok?
Can this go into 5.0?

bluhm


Index: netinet6/in6.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/in6.c,v
retrieving revision 1.92
diff -u -p -r1.92 in6.c
--- netinet6/in6.c 7 Aug 2011 15:18:40 -0000 1.92
+++ netinet6/in6.c 8 Aug 2011 08:22:19 -0000
@@ -1956,6 +1956,8 @@ in6_ifpprefix(const struct ifnet *ifp, c
 #if NCARP > 0
     (ifp->if_type != IFT_CARP || rt->rt_ifp != ifp->if_carpdev) &&
     (rt->rt_ifp->if_type != IFT_CARP || rt->rt_ifp->if_carpdev != ifp)&&
+    (ifp->if_type != IFT_CARP || rt->rt_ifp->if_type != IFT_CARP ||
+    rt->rt_ifp->if_carpdev != ifp->if_carpdev) &&
 #endif
     1)) {
  RTFREE(rt);

Reply | Threaded
Open this post in threaded view
|

Re: carp ipv6 ndp issue

Florian Fuessl
Alexander Bluhm wrote Monday, August 08, 2011 10:50 AM

> On Sun, Aug 07, 2011 at 04:02:32AM +0200, Florian Fuessl wrote:
> > Alexander Bluhm <[hidden email]> wrote Sat., Aug. 06, 2011
> > > On Sat, Aug 06, 2011 at 12:47:27AM +0200, Alexander Bluhm wrote:
> > > > To trigger the bug, you need two adresses in the same network on
> > > > the carp and on the parent interface.  One of them has the route,
> > > > the other cannot do ndp.
> >
> > Thank you. This patch works like a charm! :-)
>
> By thinking about it, I found another bug with carp and neighbor
> discovery.  When you have two carp interfaces on one physical
> interface and the same prefix on both carp interfaces but not on
> the physical, neighbor discovery will fail for one fo the carp
> interfaces.

Running "the simple the carp setup" this updated patch also runs fine, here.

> I don't know wether this is a common use case.
>
> It is easy to fix.  When comparing two carp interfaces, assume they
> have same prefixes if they have the same parent.
>
> ok?
> Can this go into 5.0?

+1

> bluhm

Thank you,
-Florian

> Index: netinet6/in6.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/in6.c,v
> retrieving revision 1.92
> diff -u -p -r1.92 in6.c
> --- netinet6/in6.c 7 Aug 2011 15:18:40 -0000 1.92
> +++ netinet6/in6.c 8 Aug 2011 08:22:19 -0000
> @@ -1956,6 +1956,8 @@ in6_ifpprefix(const struct ifnet *ifp, c
>  #if NCARP > 0
>      (ifp->if_type != IFT_CARP || rt->rt_ifp != ifp->if_carpdev)
> &&
>      (rt->rt_ifp->if_type != IFT_CARP || rt->rt_ifp->if_carpdev !=
> ifp)&&
> +    (ifp->if_type != IFT_CARP || rt->rt_ifp->if_type != IFT_CARP
> ||
> +    rt->rt_ifp->if_carpdev != ifp->if_carpdev) &&
>  #endif
>      1)) {
>   RTFREE(rt);