Re: IPv6: what is required of lower layers?

[Mouse <mouse%Rodents-Montreal.ORG@localhost>]

> In OpenVPN we've avoided all the drama related to ND by configuring
> the tun interfaces to IFF_POINTOPOINT|IFF_MULTICAST - so as far as
> the kernel is concerned, there is no neighbour discovery, just a dumb
> pipe "whatever is routed into the tun interface is sent to userland".

Perhaps I should try that.  It's probably a holdover from the past; I
tend to think of POINTOPOINT interfaces as being inherently /32 (or
/128 for v6) on each end.  But if it works to put a nontrivial netmask
on them, that may be worth doing.

However, a POINTOPOINT interface necessarily has a destination address.
I don't know what I'd specify for the destination address, since there
is no single peer whose address it makes sense to use on the tun.

> There is an additional quirk on all the BSDs regarding IPv6 packets
> on tun interfaces, as "default tun interfaces" are IPv4 only, and
> need the TUNSIFHEAD ioctl to enable "multi af mode" - which will add
> a 4-byte address family to each packet.  I assume you already have
> that, otherwise you won't see anything ("this is what I started
> with"), but I thought I'd mention it.

I use TUNSLMODE instead, to get prepended destination addresses, rather
than TUNSIFHEAD's multi-AF mode.  My if_tun.c has been significantly
worked over; I forget whether that was one of my changes.  A quick look
at the commit makes me think not, but I'm not sure.

> [...] because multicast is oh so much better than just broadcast as
> ARP will do.

That reads as though you are sarcastically criticizing v6's use of
multicast.  If so, I think that is at least partially unfair; multicast
_is_ better, in that, on multicast-capable media, it can reduce the
traffic third-party nodes have to deal with by a significant fraction.
With ARP, all nodes have to process (and, in most cases, discard) all
ARP requests.  With multicast hardware and a decent IPv6-over-$MEDIA
design, there will be few-to-no false positives; in most cases, only
the target node has to even take an interrupt in response to a node
looking for a neighbour node.

If you have a medium which doesn't do multicast but does do broadcast,
you can, for example, specify that all v6 multicasts turn into
media-level broadcasts in your IPv6-to-$MEDIA layer.

I am not fond of the use of ICMP6 for neighbour discovery.  Pulling
neighbour address resolution up into the IP layer strikes me as a wrong
choice.  Perhaps I'm just ignorant of some tradeoffs....

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B