-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathndproxy.html
435 lines (342 loc) · 16.2 KB
/
ndproxy.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
<!-- Creator : groff version 1.22.4 -->
<!-- CreationDate: Tue Feb 19 10:44:33 2019 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta name="generator" content="groff -Thtml, see www.gnu.org">
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
<meta name="Content-Style" content="text/css">
<style type="text/css">
p { margin-top: 0; margin-bottom: 0; vertical-align: top }
pre { margin-top: 0; margin-bottom: 0; vertical-align: top }
table { margin-top: 0; margin-bottom: 0; vertical-align: top }
h1 { text-align: center }
</style>
<title></title>
</head>
<body>
<hr>
<p>NDPROXY(4) FreeBSD Kernel Interfaces Manual
NDPROXY(4)</p>
<p style="margin-top: 1em"><b>NAME</b></p>
<p style="margin-left:6%;"><b>ndproxy</b> — Neighbor
Discovery Proxy</p>
<p style="margin-top: 1em"><b>SYNOPSIS</b></p>
<p style="margin-left:6%;">ndproxy is a kernel module that
implements IPv6 Neighbor Discovery proxying over
Ethernet-like access networks, with many options to handle
several use-cases.</p>
<p style="margin-left:6%; margin-top: 1em">ndproxy replies
to a neighbor solicitation with a specific neighbor
advertisement, in order to let the PE uplink router send
further packets to a CPE downlink router, that may or may
not be the same node that run ndproxy.</p>
<p style="margin-left:6%; margin-top: 1em">The hook-based
pfil(9) framework is used to let ndproxy be invoked for
every IPv6 incoming packet, in order to specifically handle
and filter neighbor solicitations and reply with appropriate
neighbor advertisements.</p>
<p style="margin-left:6%; margin-top: 1em">ND (Neighbor
Discovery) packets are mainly targeted at solicited-node
multicast addresses, but ndproxy has no information about
the hosts to proxy, then it can not join the corresponding
groups. Thus, the interface on which ndproxy listen to
solicitations must be put into permanently promiscuous mode:
add "promisc" to the ifconfig_<interface>
variable in rc.conf(5).</p>
<p style="margin-left:6%; margin-top: 1em">For the same
reason, MLD snooping must be disabled on the switches that
share the PE/CPE interconnect (the layer-2 link the
listening interface is attached to). Note that MLD snooping
must not be disabled entirely on each switch, but only on
the corresponding vlan.</p>
<p style="margin-left:6%; margin-top: 1em">The interface on
which ndproxy listen to solicitations only need to be
assigned a link-local address. No information about the
delegated prefix and no global address are needed on this
interface. It is sufficient to add "inet6 -ifdisabled
-accept_rtadv auto_linklocal" to the
ifconfig_<interface>_ipv6 variable in rc.conf(5).</p>
<p style="margin-top: 1em"><b>DIFFERENCES WITH NDP</b></p>
<p style="margin-left:6%;">The target address to proxy must
be given when using the ndp(8) command-line tool with the
proxy option. On the contrary, ndproxy does not rely on a
list of target addresses to proxy. Thus, RFC-4941 temporary
addresses can be proxyfied. For security reasons, many
operating systems use a temporary address when establishing
outbound connections.</p>
<p style="margin-left:6%; margin-top: 1em">When using
ndp(8) command-line tool with the proxy option, the
proxyfied packets are redirected to the node that run ndp.
With ndproxy, the host that run ndp can be used only to
redirect packets to another IPv6 internal router, for
instance a dedicated router with hardware support of IPv6
routing process.</p>
<p style="margin-top: 1em"><b>PREFIX SUBNETTING</b></p>
<p style="margin-left:6%;">Connecting a flat IPv6 network
to the Internet is easily done with the RFC-4861 ND
protocol. But connecting a subnetted IPv6 prefix is more
complicated, depending on the ISP network design choices.
ndproxy can help subscribers to achieve this goal.</p>
<p style="margin-left:6%; margin-top: 1em">Here are some
protocols or mechanisms the ISP need to support, when the
delegated prefix must be subnetted and assigned to multiple
links within the subscriber’s network. For instance,
the ISP could learn routes from the subscriber router using
an IGP routing protocol, but the ISP and the subscriber must
agree with a common routing protocol. The ISP could also
feed the PE with a static route to the CPE router, but the
ISP must be informed about the subscriber router address.
Finally, the ISP could use the RFC-3633 IPv6 Prefix Options
with DHCPv6 to delegate the prefix from its PE router to a
requesting subscriber’s router: in such a case, the
ISP must support the DHCPv6 option.</p>
<p style="margin-left:6%; margin-top: 1em">ndproxy has been
written for subscribers to ISP that do not support any of
those mechanisms or protocols, thus not being able to
natively subnet their IPv6 delegated prefix.</p>
<p style="margin-top: 1em"><b>NETWORK DESIGN</b></p>
<p style="margin-left:6%;">Here is a generic network design
using ndproxy to solve such situations: <br>
______________________ \ <br>
/ \ \ <br>
| ISP core network | \ <br>
\__________ ___________/ | <br>
| | ISP network <br>
| dsl to subscriber premises | <br>
| / <br>
+---+---------------------+ / <br>
| PE or triple-play box | / <br>
+-----------+-------------+ <br>
| <br>
PE/CPE interconnect | /48 prefix \ <br>
--+---------+---------+-- \ <br>
| no mld snooping | \ <br>
| | | <br>
+----+--------+ +----+-----+ | <br>
| CPE | | ndproxy | | <br>
| IPv6 router | | BSD host | | <br>
+----+---+----+ +----------+ | <br>
subnet1 | | subnet2 | Subscriber <br>
----+-----+- -+-----+------ | network <br>
| /60 | /60 | <br>
+---+------+ +----+-----+ | <br>
|Subscriber| |Subscriber| / <br>
| host | | host | / <br>
+----------+ +----------+ /</p>
<p style="margin-left:6%; margin-top: 1em">Note that many
other use-cases can be handled with ndproxy: the BSD host
and the CPE router can be the same node, the
delegated-prefix length can be /64, the PE router can have
several interfaces on the ISP/Subscriber layer-2 boundary,
there can be multiple PE routers, etc.</p>
<p style="margin-top: 1em"><b>PREFIX LENGTH</b></p>
<p style="margin-left:6%;">Even if the IESG and the IAB
first recommended the allocations of /48 prefixes in the
general case, for the boundary between the public and the
private topology (see RFC-3177), and that some Regional
Internet Registries (APNIC, ARIN and RIPE) have subsequently
revised the end site assignment policy to encourage the
assignment of /56 blocks to end sites, and that RFC-6177
finally recommended giving home sites significantly more
than a single /64, in order for home sites to be given
multiple subnets, some ISP currently only delegate /64
prefixes.</p>
<p style="margin-left:6%; margin-top: 1em">In such a case,
the subscriber should subnet a RFC-4193 Unique Local IPv6
Unicast Addresses prefix to the internal subnetworks, for
internal-to-internal communications. The /64 global prefix
should be routed to the only internal subnet in which
RFC-4941 temporary addresses are used by hosts when
establishing outbound connections. Static routes on the CPE
router should be set to let hosts on other internal subnets
be able to communicate with the Internet. Using temporary
addresses for outbound connections to the Internet must be
disabled on hosts on those other internal subnets.</p>
<p style="margin-top: 1em"><b>IPv6 EXTENSION
HEADERS</b></p>
<p style="margin-left:6%;">For security reasons, ndproxy
explicitely rejects neighbor solicitation packets containing
any extension header. Such a packet is mainly
unattended:</p>
<p style="margin-top: 1em"><b>Fragmentation:</b></p>
<p style="margin-left:24%; margin-top: 1em">According to
RFC-6980, IPv6 fragmentation header is forbidden in all
neighbor discovery messages.</p>
<p style="margin-top: 1em"><b>Hop-by-hop header:</b></p>
<p style="margin-left:24%; margin-top: 1em">commonly used
for jumbograms or for MLD. Should not involve neighbor
solicitation packets.</p>
<p style="margin-top: 1em"><b>Destination mobility
headers:</b></p>
<p style="margin-left:24%; margin-top: 1em">commonly used
for mobility, ndproxy does not support these headers.</p>
<p style="margin-top: 1em"><b>Routing header:</b></p>
<p style="margin-left:24%; margin-top: 1em">commonly used
for mobility or source routing, ndproxy does not support
these headers.</p>
<p style="margin-top: 1em"><b>AH & ESP headers:</b></p>
<p style="margin-left:24%; margin-top: 1em">securing the
neighbor discovery process is not done with IPsec but with
the SEcure Neighbor Discovery protocol (RFC-3971). ndproxy
can not support RFC-3971, since proxifying ND packets is
some kind of a spoofing process.</p>
<p style="margin-top: 1em"><b>EXCEPTION ADDRESSES</b></p>
<p style="margin-left:6%;">Some neigbhor solicitations sent
on the PE/CPE interconnect must not be proxyfied:</p>
<p style="margin-top: 1em">1.</p>
<p style="margin-left:13%;">solicitations sent by other
nodes than the PE;</p>
<p style="margin-top: 1em">2.</p>
<p style="margin-left:13%;">solicitations sent by the PE to
reach any on-link address (the address filled in the target
address option) owned by nodes attached to the PE/CPE
interconnect, for instance to reach the CPE, the ndproxy
host or other hosts attached to this layer-2
interconnect.</p>
<p style="margin-left:6%; margin-top: 1em">The target
addresses filled in those solicitations that ndproxy must
ignore have to be declared via sysctl
(net.inet6.ndproxyconf_exception_ipv6_addresses). This list
must contain the link-local and global-scoped unicast and
anycast addresses of the CPE, of the ndproxy host and of any
other host than the PE attached to the PE/CPE
interconnect.</p>
<p style="margin-left:6%; margin-top: 1em">Failing to
maintain this list correctly could lead to badly redirect
some packets to the CPE, but with a simple network design,
this list can be let empty.</p>
<p style="margin-top: 1em"><b>UPLINK ROUTER
ADDRESSES</b></p>
<p style="margin-left:6%;">ndproxy only handles packets
originating from one of the PE addresses. During its address
resolution process, different source addresses can be
choosen by the PE, depending on the packet that triggered
the process or depending on other external constraints.</p>
<p style="margin-left:6%; margin-top: 1em">Here are some
cases when it can occur:</p>
<p style="margin-top: 1em">1.</p>
<p style="margin-left:13%;">The PE may have multiple
interfaces;</p>
<p style="margin-top: 1em">2.</p>
<p style="margin-left:13%;">There may be multiple PE;</p>
<p style="margin-top: 1em">3.</p>
<p style="margin-left:13%;">Many routers choose to use a
link-local address when sending neighbor solicitations, but
when an administrator of such a router, also having a global
address assigned on the same link, tries to send packets
(echo request, for instance) to an on-link destination
global address, the source address of the echo request
packet prompting the solicitation may be global-scoped
according to the selection algorithm described in RFC-6724.
Therefore, the source address of the Neighbor Solicitation
packet should also be selected in the same global scope,
according to RFC-4861;</p>
<p style="margin-top: 1em">4.</p>
<p style="margin-left:13%;">When the uplink router does not
yet know its own address, it must use the unspecified
address, according to RFC-4861.</p>
<p style="margin-left:6%; margin-top: 1em">So, it can not
be assumed that an uplink router will always use the same
IPv6 address to send neighbor solicitations. Each assigned
address that can be used as a source address by the PE on
its downlink interface must then be declared to ndproxy via
sysctl (net.inet6.ndproxyconf_uplink_ipv6_addresses).</p>
<p style="margin-left:6%; margin-top: 1em">ndproxy will
only handle packets that come from one of these
addresses.</p>
<p style="margin-left:6%; margin-top: 1em">A special care
must be taken about the unsolicited address. It may be used
by the PE, then it is part of the list of PE addresses and
should therefore be added to the list of PE addresses. Since
this address can also be used by other nodes during some
initialization steps (for instance when hot-swapping an
Ethernet board), another node could use this address to send
neighbor solicitations that ndproxy should not handle,
because they are not sent by the PE. In fact, this is not a
problem because the target address option contained in a
solicitation from this other node should be in the exception
list. So, adding the unsolicited address in the PE addresses
list should be safe.</p>
<p style="margin-left:6%; margin-top: 1em">Failing to
maintain this list correctly could lead the PE not to be
able to establish outbound connections to nodes on the
PE/CPE interconnect, but if this list contains at least the
PE link-local address, IPv6 connectivity should be correctly
established between the Internet and the internal
subscriber’s subnets.</p>
<p style="margin-top: 1em"><b>CONFIGURATION</b></p>
<p style="margin-left:6%;">An IPv6 address can be any valid
textual representation according to RFC-4291 and RFC-5952
(this means that transitional textual representation is
fully supported). Other representations will trigger an
error event. IPv6 address lists must be formated as series
of IPv6 adresses separated by semi-colons.</p>
<p style="margin-left:6%; margin-top: 1em">The sysctl
utility or rc.conf(5) are used to set ndproxy configuration
parameters.</p>
<p style="margin-left:6%; margin-top: 1em">If you have
installed ndproxy as a port or as a package, set the
following variables in rc.conf(5) and load the module at
boot time by placing the following line in rc.conf(5):</p>
<p style="margin-left:14%; margin-top: 1em">ndproxy_enable="YES"</p>
<p style="margin-left:6%; margin-top: 1em">On the contrary,
if you have NOT installed ndproxy as a port or as a package
but as a standalone distribution, place the sysctl entries
in sysctl.conf(5) and load the module at boot time by
placing the following line in loader.conf(5):</p>
<p style="margin-left:14%; margin-top: 1em">ndproxy_load="YES"</p>
<p style="margin-top: 1em"><b>net.inet6.ndproxyconf_uplink_interface
sysctl entry or ndproxy_uplink_interface rc.conf
variable:</b></p>
<p style="margin-left:24%; margin-top: 1em">Name of the
interface talking to the broadcast multi-access network
connecting the PE and CPE routers.</p>
<p style="margin-left:24%; margin-top: 1em">Example:
"vlan2".</p>
<p style="margin-top: 1em"><b>net.inet6.ndproxyconf_downlink_mac_address
sysctl entry or ndproxy_downlink_mac_address rc.conf
variable:</b></p>
<p style="margin-left:24%; margin-top: 1em">MAC address of
the CPE router. Neighbor advertisements sent by ndproxy will
be filled with this address in the target link-layer address
option. The format of this parameter is the hexadecimal
representation made of 6 groups of 2 hexadecimal numbers
separated by colons.</p>
<p style="margin-left:24%; margin-top: 1em">Example:
"00:0C:29:B6:43:D5".</p>
<p style="margin-top: 1em"><b>net.inet6.ndproxyconf_exception_ipv6_addresses
sysctl entry or ndproxy_exception_ipv6_addresses rc.conf
variable:</b></p>
<p style="margin-left:24%; margin-top: 1em">Target
addresses not to proxy. In a simple network design, this
list can be let empty. See section "EXCEPTION
ADDRESSES".</p>
<p style="margin-left:24%; margin-top: 1em">Example:
"fe80::20d:edff:fe7b:68b7;fe80::222:15ff:fe3b:59a".</p>
<p style="margin-top: 1em"><b>net.inet6.ndproxyconf_uplink_ipv6_addresses
sysctl entry or ndproxy_uplink_ipv6_addresses rc.conf
variable:</b></p>
<p style="margin-left:24%; margin-top: 1em">Addresses of
the PE. This list should at least contain the PE link-local
address. See section "UPLINK ROUTER
ADDRESSES".</p>
<p style="margin-left:24%; margin-top: 1em">Example:
"fe80::207:cbff:fe4b:2d20;2a01:e35:8aae:bc60::1;::".</p>
<p style="margin-top: 1em"><b>net.inet6.ndproxycount sysctl
entry:</b></p>
<p style="margin-left:24%; margin-top: 1em">Number of
advertisements sent.</p>
<p style="margin-top: 1em"><b>SEE ALSO</b></p>
<p style="margin-left:6%;">inet6(4), rc.conf(5),
loader.conf(5), sysctl.conf(5), sysctl(8), loader(8),
pfil(9)</p>
<p style="margin-top: 1em"><b>AUTHOR</b></p>
<p style="margin-left:6%;">Alexandre Fenyo
<[email protected]> - www.fenyo.net</p>
<p style="margin-left:6%; margin-top: 1em">FreeBSD 13.0
May 27, 2017 FreeBSD 13.0</p>
<hr>
</body>
</html>