summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOle Troan <otroan@employees.org>2023-10-13 09:19:45 +0200
committerAndrew Yourtchenko <ayourtch@gmail.com>2023-10-16 14:48:46 +0000
commitdbeb56d2dab0a5c86b4b61b5dccdcb997cdaef1f (patch)
tree52bd509f77f23975a2de6a7c12cc07b8f611059a
parentf68afe85a6e4d5e00fdad1af19a76eb40fdfa388 (diff)
ip-neighbor: do not use sas to determine NS source address
Using the source address selection algorithm to determine the best source of an NS for address resolution risks incompatible behavior. It may choose a source address that is off-link to the other host. Which may drop it. A safer approach is to always use the link-local address as the SA. It's recommended to pick a source that an application will later use, as VPP is mostly a router, that rarely applies. And regardlessly we have no mechanism to signal from an application that triggered address resolutiuon what source address it intends to use. Type: fix Change-Id: I3c5de66e41505f3682767706ef1195a20e4f0e54 Signed-off-by: Ole Troan <otroan@employees.org>
-rw-r--r--src/vnet/ip-neighbor/ip6_neighbor.c5
-rw-r--r--test/test_ip6.py2
-rw-r--r--test/test_ip6_nd_mirror_proxy.py2
-rw-r--r--test/test_nat64.py2
4 files changed, 6 insertions, 5 deletions
diff --git a/src/vnet/ip-neighbor/ip6_neighbor.c b/src/vnet/ip-neighbor/ip6_neighbor.c
index e3a47df2076..fd0dbfcd2bb 100644
--- a/src/vnet/ip-neighbor/ip6_neighbor.c
+++ b/src/vnet/ip-neighbor/ip6_neighbor.c
@@ -217,13 +217,14 @@ ip6_discover_neighbor_inline (vlib_main_t * vm,
* Choose source address based on destination lookup
* adjacency.
*/
- if (!fib_sas6_get (sw_if_index0, &ip0->dst_address, &src) ||
- !ip6_sas_by_sw_if_index (sw_if_index0, &ip0->dst_address, &src))
+ const ip6_address_t *ll = ip6_get_link_local_address (sw_if_index0);
+ if (!ll)
{
/* There is no address on the interface */
p0->error = node->errors[IP6_NEIGHBOR_ERROR_NO_SOURCE_ADDRESS];
continue;
}
+ ip6_address_copy (&src, ll);
b0 = ip6_neighbor_probe (vm, vnm, sw_if_index0, thread_index, &src,
&ip0->dst_address);
diff --git a/test/test_ip6.py b/test/test_ip6.py
index 36c4122d627..c78b8441f90 100644
--- a/test/test_ip6.py
+++ b/test/test_ip6.py
@@ -141,7 +141,7 @@ class TestIPv6ND(VppTestCase):
self.assertEqual(in6_ptop(ns.tgt), in6_ptop(tgt_ip))
# packet is from the router's local address
- self.assertEqual(in6_ptop(rx[IPv6].src), intf.local_ip6)
+ self.assertEqual(in6_ptop(rx[IPv6].src), intf.local_ip6_ll)
# Src link-layer options should have the router's MAC
sll = rx[ICMPv6NDOptSrcLLAddr]
diff --git a/test/test_ip6_nd_mirror_proxy.py b/test/test_ip6_nd_mirror_proxy.py
index 9214e32b447..bb7c967137a 100644
--- a/test/test_ip6_nd_mirror_proxy.py
+++ b/test/test_ip6_nd_mirror_proxy.py
@@ -121,7 +121,7 @@ class TestNDPROXY(VppTestCase):
rx = self.send_and_expect(self.pg1, [unicast_nd_req_from_host], self.pg0)
self.assertEqual(rx[0][Ether].src, self.pg0.local_mac)
self.assertEqual(rx[0][Ether].dst, in6_getnsmac(nsma))
- self.assertEqual(rx[0][IPv6].src, self.pg0.local_ip6)
+ self.assertEqual(rx[0][IPv6].src, self.pg0.local_ip6_ll)
self.assertEqual(rx[0][IPv6].dst, d)
self.assertEqual(ipv6nh[rx[0][IPv6].nh], "ICMPv6")
self.assertEqual(rx[0][ICMPv6ND_NS].tgt, self.pg0.remote_ip6)
diff --git a/test/test_nat64.py b/test/test_nat64.py
index 4ae9f6614dd..5c0fe733c96 100644
--- a/test/test_nat64.py
+++ b/test/test_nat64.py
@@ -651,7 +651,7 @@ class TestNAT64(VppTestCase):
capture = self.pg5.get_capture(len(pkts))
packet = capture[0]
try:
- self.assertEqual(packet[IPv6].src, self.pg5.local_ip6)
+ self.assertEqual(packet[IPv6].src, self.pg5.local_ip6_ll)
self.assertEqual(packet.haslayer(ICMPv6ND_NS), 1)
tgt = packet[ICMPv6ND_NS].tgt
except: