Hi Ben, Good to see you are looking at MAP. Always interested in deployment details if you want to share. Feel free to ping me offline.
The code is written this way, considering the IPv6 tunnel endpoint as a
functional address. I.e. not being used to address an interface, but to address
the MAP function. Now as you point out there is a thin line between those two.
As long as the MAP function is running on the input feature path (it could also
have been put on a DPO of the receive route).
That part of the code could be changed more generally as you suggest.
Everything that is not a IPv4 in IPv6 packet _or_ an ICMPv6 error packet for an
IPv4 in IPv6 packet can be bypassed (vnet_feature_next).
Want to have a go at a patch for that?
Cheers,
Ole
> On 19 Nov 2021, at 17:09, Ben McKeegan <b...@netservers.co.uk> wrote:
>
> On 19/11/2021 13:32, Ben McKeegan via lists.fd.io wrote:
>> Firstly, with the map plugin it appears to break IPv6 connectivity: the
>> control plane can no longer successfully do NDP to the external gateway (a
>> layer 3 switch). NDP replies from the gateway to the control plane do not
>> arrive. There is a very simple workaround: if I put in a static neighbour
>> entry in Linux (with 'ip neigh replace ...') everything else works. I have
>> not yet understood why this happens although as I have a workaround I did
>> not spent too long on investigating it.
>
> It turns out this was fairly straightforward, see patch below which fixed it
> for me. Previously, the code checked for ICMP6 echo request and reply codes
> and handled these locally, attempting to relay everything else (and
> discarding any that are not suitable for relaying). For now I have added
> similar exceptions for NDP and RAs, but this seems a little backward to me.
> Should we make IP6_MAP_NEXT_IP6_LOCAL the default and only set
> IP6_MAP_NEXT_IP6_ICMP_RELAY for one of the four ICMP6 error codes that
> ip6_map_icmp_relay() actually checks for? The comment in the code says:
>
> * ICMP IPv6 packet
> * - Error -> Pass to ICMPv6/ICMPv4 relay
> * - Info -> Pass to IPv6 local
>
> ... which makes sense, but doesn't match what the code was doing.
>
>
>
> diff --git a/src/plugins/map/ip6_map.c b/src/plugins/map/ip6_map.c
> index 1193dda0a..d400c634c 100644
> --- a/src/plugins/map/ip6_map.c
> +++ b/src/plugins/map/ip6_map.c
> @@ -246,8 +246,11 @@ ip6_map (vlib_main_t * vm, vlib_node_runtime_t * node,
> vlib_frame_t * frame)
> {
> icmp46_header_t *icmp = (void *) (ip60 + 1);
> next0 = (icmp->type == ICMP6_echo_request
> - || icmp->type ==
> - ICMP6_echo_reply) ? IP6_MAP_NEXT_IP6_LOCAL :
> + || icmp->type == ICMP6_echo_reply
> + || icmp->type == ICMP6_neighbor_solicitation
> + || icmp->type == ICMP6_neighbor_advertisement
> + || icmp->type == ICMP6_router_solicitation
> + || icmp->type == ICMP6_router_advertisement) ?
> IP6_MAP_NEXT_IP6_LOCAL :
> IP6_MAP_NEXT_IP6_ICMP_RELAY;
> }
> else if (ip60->protocol == IP_PROTOCOL_IPV6_FRAGMENTATION)
> @@ -273,8 +276,11 @@ ip6_map (vlib_main_t * vm, vlib_node_runtime_t * node,
> vlib_frame_t * frame)
> {
> icmp46_header_t *icmp = (void *) (ip61 + 1);
> next1 = (icmp->type == ICMP6_echo_request
> - || icmp->type ==
> - ICMP6_echo_reply) ? IP6_MAP_NEXT_IP6_LOCAL :
> + || icmp->type == ICMP6_echo_reply
> + || icmp->type == ICMP6_neighbor_solicitation
> + || icmp->type == ICMP6_neighbor_advertisement
> + || icmp->type == ICMP6_router_solicitation
> + || icmp->type == ICMP6_router_advertisement) ?
> IP6_MAP_NEXT_IP6_LOCAL :
> IP6_MAP_NEXT_IP6_ICMP_RELAY;
> }
> else if (ip61->protocol == IP_PROTOCOL_IPV6_FRAGMENTATION)
> @@ -451,8 +457,11 @@ ip6_map (vlib_main_t * vm, vlib_node_runtime_t * node,
> vlib_frame_t * frame)
> {
> icmp46_header_t *icmp = (void *) (ip60 + 1);
> next0 = (icmp->type == ICMP6_echo_request
> - || icmp->type ==
> - ICMP6_echo_reply) ? IP6_MAP_NEXT_IP6_LOCAL :
> + || icmp->type == ICMP6_echo_reply
> + || icmp->type == ICMP6_neighbor_solicitation
> + || icmp->type == ICMP6_neighbor_advertisement
> + || icmp->type == ICMP6_router_solicitation
> + || icmp->type == ICMP6_router_advertisement) ?
> IP6_MAP_NEXT_IP6_LOCAL :
> IP6_MAP_NEXT_IP6_ICMP_RELAY;
> }
> else if (ip60->protocol == IP_PROTOCOL_IPV6_FRAGMENTATION &&
>
>
> Regards,
> Ben.
>
>
>
signature.asc
Description: Message signed with OpenPGP
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#20526): https://lists.fd.io/g/vpp-dev/message/20526 Mute This Topic: https://lists.fd.io/mt/87167458/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
