Skip to content

Proper ICMPv6 handling for enable-endpoint-routes #16555

New issue
New issue
Open
Bug
Open
Proper ICMPv6 handling for enable-endpoint-routes#16555
Bug
Labels
feature/ipv6Relates to IPv6 protocol supportkind/bugThis is a bug in the Cilium logic.kind/community-reportThis was reported by a user in the Cilium community, eg via Slack.pinnedThese issues are not marked stale by our issue bot.sig/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.
@oblazek

Description

@oblazek
oblazek
opened on Jun 16, 2021

Proposal / RFE

Is your feature request related to a problem?
Yes, currently neighbor solicitations messages (ICMP6_NS_MSG_TYPE) exiting an endpoint have to have dstIP of router or other endpoint in the ENDPOINTS_MAP. See https://github.com/cilium/cilium/blob/master/bpf/lib/icmp6.h#L383 or https://github.com/cilium/cilium/blob/master/bpf/lib/icmp6.h#L389.

When enable-endpoint-routes is enabled (which is my case) the endpoint could be sending out NS like:

.---------------------------------------------------------------------.
|  .-----------------.                                                |
|  | cilium_host     |                                                |
|  '-----------------'                   .---------------------------.|
|  .-----------------.                   |         podScope          ||
|  | lxcXXXXXXXXXXXX |                   |                           ||
|  '-----------------'                   |                           ||
|  .-----------------.    .---------.    |   2a02:598:247:3::abb4    ||    
|  | lxc86bcaa204b44 |<-->| bpf_lxc |<-->|       link-local          ||
|  '-----------------'    '---------'    | fe80::d01e:84ff:fedf:1794 ||    
|       link-local             .         |          MAC              ||
|fe80::d0ff:2aff:fe5f:29f4     |         |    d2:1e:84:df:17:94      ||
|          MAC                 |         '---------------------------'|
|   d2:ff:2a:5f:29:f4          |                                      |                                 
|                              |                                      |
|hostScope                     |                                      |
'------------------------------|--------------------------------------'
                               '
                     handle_xgress()
                     tail_handle_ipv6()
                     handle_ipv6()
                     icmp6_handle()
                     icmp6_handle_ns()
                     tail_icmp6_handle_ns()
                     __icmp6_handle_ns()

xx drop (Unknown L3 target address) flow 0x0 to endpoint 0, identity 0->0: fe80::d01e:84ff:fedf:1794 -> fe80::d0ff:2aff:fe5f:29f4 NeighborSolicitation

which is neither (meaning the dstIP) router nor another endpoint. This results in the packet being dropped - https://github.com/cilium/cilium/blob/master/bpf/lib/icmp6.h#L397

Describe the solution you'd like
This should either be allowed for enable-endpoint-routes with something like:

#ifdef ENABLE_ENDPOINT_ROUTES
#define SKIP_ICMPV6_NS_HANDLING
#endif

since SKIP_ICMPV6_NS_HANDLING is already present here https://github.com/cilium/cilium/blob/master/bpf/lib/icmp6.h#L400

or this should be handled in a better way since without this fix/feature IPv6 traffic cannot and doesn't work.

Activity

oblazek
added
kind/featureThis introduces new functionality.
on Jun 16, 2021
stale

stale commented on Aug 22, 2021

@stale
stale
on Aug 22, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

stale
added
staleThe stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.
on Aug 22, 2021
pchaigno
removed
staleThe stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.
on Dec 7, 2021
aanm
added
sig/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.
on Jan 6, 2022
borkmann
added
kind/community-reportThis was reported by a user in the Cilium community, eg via Slack.
kind/bugThis is a bug in the Cilium logic.
pinnedThese issues are not marked stale by our issue bot.
on Jan 21, 2022
pchaigno
removed
kind/featureThis introduces new functionality.
on Feb 6, 2022
julianwiedmann
added
feature/ipv6Relates to IPv6 protocol support
on Sep 7, 2023
julianwiedmann

julianwiedmann commented on Nov 29, 2024

@julianwiedmann
julianwiedmann
on Nov 29, 2024
Member

👋 circling back - this is about the logic in

cilium/bpf/lib/icmp6.h

Line 312 in 7164686

ep = __lookup_ip6_endpoint(&target);
, correct?

For the case you describe, we should also consider NS messages for another pod's link-local address? And presumably let those pass into the stack, rather than drop them.

oblazek

oblazek commented on Jan 30, 2025

@oblazek
oblazek
on Jan 30, 2025
ContributorAuthor

hey @julianwiedmann exactly. Yeah I don't think dropping is the correct way to handle those.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature/ipv6Relates to IPv6 protocol supportkind/bugThis is a bug in the Cilium logic.kind/community-reportThis was reported by a user in the Cilium community, eg via Slack.pinnedThese issues are not marked stale by our issue bot.sig/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.

    Type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      Proper ICMPv6 handling for enable-endpoint-routes · Issue #16555 · cilium/cilium