Re: Dealing with ICMPv6 network unreachable.

[Roy Marples <roy%marples.name@localhost>]

On Thu, 2015-04-02 at 20:09 -0400, Greg Troxel wrote:
> Roy Marples <roy%marples.name@localhost> writes:
> 
> > It claims it's a IPv6 router with the address fe80::1 but with no
> > prefix information.
> 
> Do you mean it is sending RAs?   That seems odd.   I wonder if we should
> be rejecting them, but we'd have to read the specs.

That was my initial thought also, but I've read the specs and can't see
anything to say they should be rejected.
There is also a few documents (NOT RFCs) on recommending using fe80::1
as the edge router because it's like easy to remember.

> 
> > Interestingly enough it is serving DNS and DHCP on v6 as well.
> 
> Can you explain more precisely?

It's a fully functional IPv6 router, except it's not handing out any
prefixes or addresses of any kind. The DHCPv6 is just handing out DNS
records.

> > Anyway, the problem is that because it's added a default route, various
> > programs will try IPv6 first. For each address tried, the router issues
> > an ICMPv6 unreachable message of code 0. This is displayed with ping -v
> > as well, so it is hitting userland. However, applications are ignoring
> > it. My simple test case is wget (available in pkgsrc).
> 
> Three thoughts about what might be going on:
> 
>   I am unclear on codes in ICMPv6; it could be that 0 is irregular and
>   getting filtered out by us, even though maybe it shouldn't be.

It's not irregular, it's ICMP6_DST_UNREACH_NOROUTE which is handled in
sys/netinet6/icmp6.c line 525. I have yet to explore further than this.

>   It seems that the proper response of TCP to net/host unreachable is
>   arguable.  In the case you mention, it's best to abort, but a
>   transient unreachable situation on a TCP connection shouldn't kill the
>   connection.
> 
>   It strikes me as odd that without a public address TCP is being tried.
>   Does your interface have any global addresses, or just the LL one?
>   If the router is handing out global addresses which don't work, it's a
>   much harder question about doing per-protocol black-hole detection
>   (leading down the path to happy eyeballs).

As I said above, no addresses are being handed out.
The local interface just have local-link addresses.

Roy