ntpd constraints and RFC4193 IPv6 addresses

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

ntpd constraints and RFC4193 IPv6 addresses

Using OpenBSD 5.8-current (GENERIC) #0, amd64

I have a simple ntpd.conf:

 constraints from "https://www.google.com"

The ifconfig for the NIC in question is:

% ifconfig em0
        lladdr 00:22:68:99:41:8e
        priority: 0
        groups: egress
        media: Ethernet autoselect (1000baseT full-duplex)
        status: active
        inet netmask 0xff000000 broadcast
        inet6 fe80::222:68ff:fe99:418e%em0 prefixlen 64 scopeid 0x1
        inet6 fdcf:b715:2f4d:1::150 prefixlen 64

I noticed in my pf logs that a RFC4193 IPv6 address was trying to access
google.  My understanding is that the RFC4193 addresses, while routable,
should not be routed over the global Internet.  Fortunately, I block/log
all such attempts at my firewall.

Here's one of the log records:

 pf: rule 1..16777216/0(match): block out on em0:
  fdcf:b715:2f4d:1::150.3664 > 2607:f8b0:4004:808::1012.443: tcp 0

The 2607 address is google's, which was my first clue when I started to
backtrace the source of the traffic.

So my question is --- should ntpd's constraint traffic use the NIC's
IPv4 address when there is no globally routable IPv6 address available?
 Is there something else I need to configure to nudge ntpd's constraint
traffic in the correct direction?