Final fix to disable IPv6 RA when NSM_TUNNEL_IP is IPv6 #739
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
VPP, being a router, presumes that any IPv6 enabled interface should,
by default, be sending IPv6 Router Announcements (RAs).
In our case, this is an incorrect behavior.
In the past we had attempted using:
'ip6 nd host-%s ra-cease'
this did not work as expected for two reasons:
1. It was done before assigning an IPv6 address to the interface.
Because of this the interface does not yet have IPv6 enabled,
and therefore the 'ip6 nd host-%s ra-cease' has no effect.
2. 'ip6 nd host-%s ra-cease' only precluded repetition of RAs
after the interface is up. Initial RAs are still sent.
This can be fixed by adding 'ra-suppress'
So in short, we use:
'enable ip6 interface host-%s'
'ip6 nd host-%s ra-cease ra-suppress'
which disables any sending of RAs from the interface prior to it
being 'upped'.
This has been tested using tcpdump. Tcpdump was used in the uncorrected
case to ensure it correctly detects RAs being sent out (it does)
Tcpdump was used to determine that with:
'enable ip6 interface host-%s'
'ip6 nd host-%s ra-cease'
the initial RA is sent, but no subsequent RAs.
The actual fix was tested with tcpdump to ensure that
'enable ip6 interface host-%s'
'ip6 nd host-%s ra-cease ra-suppress'
results in *no* RAs being sent.
Finally, tcpdump was used to ensure that with the code being submitted
was used, not RAs were sent out.
Signed-off-by: Ed Warnicke <[email protected]>
denis-tingaikin
approved these changes
Oct 25, 2022
nsmbot
pushed a commit
to networkservicemesh/deployments-k8s
that referenced
this pull request
Oct 25, 2022
…d-forwarder-vpp@main PR link: networkservicemesh/cmd-forwarder-vpp#739 Commit: a2c0b6d Author: Ed Warnicke Date: 2022-10-25 02:59:01 -0500 Message: - Final fix to disable IPv6 RA when NSM_TUNNEL_IP is IPv6 (#739) VPP, being a router, presumes that any IPv6 enabled interface should, by default, be sending IPv6 Router Announcements (RAs). In our case, this is an incorrect behavior. In the past we had attempted using: 'ip6 nd host-%s ra-cease' this did not work as expected for two reasons: 1. It was done before assigning an IPv6 address to the interface. Because of this the interface does not yet have IPv6 enabled, and therefore the 'ip6 nd host-%s ra-cease' has no effect. 2. 'ip6 nd host-%s ra-cease' only precluded repetition of RAs after the interface is up. Initial RAs are still sent. This can be fixed by adding 'ra-suppress' So in short, we use: 'enable ip6 interface host-%s' 'ip6 nd host-%s ra-cease ra-suppress' which disables any sending of RAs from the interface prior to it being 'upped'. This has been tested using tcpdump. Tcpdump was used in the uncorrected case to ensure it correctly detects RAs being sent out (it does) Tcpdump was used to determine that with: 'enable ip6 interface host-%s' 'ip6 nd host-%s ra-cease' the initial RA is sent, but no subsequent RAs. The actual fix was tested with tcpdump to ensure that 'enable ip6 interface host-%s' 'ip6 nd host-%s ra-cease ra-suppress' results in *no* RAs being sent. Finally, tcpdump was used to ensure that with the code being submitted was used, not RAs were sent out. Signed-off-by: Ed Warnicke <[email protected]> Signed-off-by: NSMBot <[email protected]>
nsmbot
pushed a commit
that referenced
this pull request
Aug 29, 2023
…k-vpp@main PR link: networkservicemesh/sdk-vpp#739 Commit: db44fd0 Author: Alexander Peretyatko Date: 2023-08-29 18:41:10 +0700 Message: - Fix running test for Linux on MacOS (#739) Signed-off-by: Alexander Peretyatko <[email protected]> Signed-off-by: NSMBot <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
VPP, being a router, presumes that any IPv6 enabled interface should,
by default, be sending IPv6 Router Announcements (RAs).
In our case, this is an incorrect behavior.
In the past we had attempted using:
'ip6 nd host-%s ra-cease'
this did not work as expected for two reasons:
Because of this the interface does not yet have IPv6 enabled,
and therefore the 'ip6 nd host-%s ra-cease' has no effect.
after the interface is up. Initial RAs are still sent.
This can be fixed by adding 'ra-suppress'
So in short, we use:
'enable ip6 interface host-%s'
'ip6 nd host-%s ra-cease ra-suppress'
which disables any sending of RAs from the interface prior to it
being 'upped'.
This has been tested using tcpdump. Tcpdump was used in the uncorrected
case to ensure it correctly detects RAs being sent out (it does)
Tcpdump was used to determine that with:
'enable ip6 interface host-%s'
'ip6 nd host-%s ra-cease'
the initial RA is sent, but no subsequent RAs.
The actual fix was tested with tcpdump to ensure that
'enable ip6 interface host-%s'
'ip6 nd host-%s ra-cease ra-suppress'
results in no RAs being sent.
Finally, tcpdump was used to ensure that with the code being submitted
was used, not RAs were sent out.
Signed-off-by: Ed Warnicke [email protected]