Subject: Re: Peculiar ICMP6 redirect rejection
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Robert Elz <kre@munnari.OZ.AU>
List: tech-net
Date: 08/14/2002 14:00:24
Date: Wed, 14 Aug 2002 02:57:04 +0200 (CEST)
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
Message-ID: <200208140119.VAA06907@Sparkle.Rodents.Montreal.QC.CA>
no comment on what sounds like some kind of bug, but I think we'd
all prefer that itojun spend time on implementation (maybe even
finding that bug) rather than on giving basic IPv6 lessons, so to
expand on his reply:
| Not legal? What on earth?? (They certainly _work_; I've used global
| addresses as the target for default routes often enough.)
No, they don't really work, they only seem to.
The problem is how redirects are handled. If you're willing to simply
allow any random node to send you a redirect, and you'll trust it, then
sure - you can use any address you like (for the gateway) in the routing
tables.
On the other hand, if you're only going to trust a redirect when it
comes from (or at least has a good chance it came from, we don't have
true authentication yet) the router you're using to send to that
destination, then you need to know what address it will send the
redirect from.
The router has no idea what address you have in your routing tables,
that doesn't appear in the packet anywhere, so there's no way for the
router to use the address that you'd prefer to see. It has no clue
at all what address it should use.
So, it needs to pick one. Now redirects only make sense on the link
of the original sender, after that it is a router problem, not redirect.
So, link local addresses will work - that is, the router can send the
redirect from an LL addr, it will arrive at the source. Further, that
gives some small added protection against redirects being routed via
other routers. More than that, all node always have an LL addr on all
links (that's a requirement). So, the router always has an LL addr
it can use. Because there's no reason for the router to prefer any
of its other addresses over one another (addresses on the interface),
and the LL has these advantages, that's the one that is always used.
So, now you are going to receive a redirect from the LL addr of the
router you're using. If you're not going to just trust anything, you
need to know that that LL addr belongs to the router that you're using.
That is, that LL addr needs to be in the routing table, so it can be
matched.
Of course, that doesn't mean that it has to be the route destination addr,
it just has to be there, so you could have a routing table entry where
the dest addr is global, and the LL is there for redirect processing
purposes.
But that is just wasted effort - any addr of the gateway is good enough
as the destination addr for the route. You have to have the LL addr for
redirect processing anyway - so that one may as well be the one that is
used as the destination of the route. That saves having to store 2
addreses.
Then, we get an additional benefit when we do this - the RA's that routers
all send, all (usually) contain their link level address. They're sent from
the router's LL IPv6 address. This allows nodes to associate the LL
address of all routers with their link level addresses (MAC addresses).
Because of that, ND (ARP equiv) isn't normally needed to send a packet to
the LL address of a router. The information is just already there,
available. That ends up saving a few packets (a minor gain, but one
still worth having) if the LL addr is the one used as the dest addr of
a route.
| In particular, how on earth am I supposed to determine the link-local
| address corresponding to the global address of the router I want to
| point the route to?
In general, you're not. That's what routing protocols and router
discovery do for you.
If you do need to manually specify a route, then you have three choices
Get on the router, and ask it to tell you its LL addr on the interface
Send an ICMP "node info" query, and ask for LL addresses
(ping6 can be made to do that, but not everyone supports it)
Configure the router to have a nice simple LL addr, fe80::1 fe80::2
instead of using one built out of its MAC addr.
| I'm not about to use something that will change if
| I happen to switch hardware (eg, something that depends on the MAC
| address);
You don't have to - but the routing protocols will normally deal with
that for you.
| am I supposed to configure every interface with a site-local
| address in parallel with its global address, for use in routes?
No, you're supposed to use routing protocols on routers, and router
discovery on hosts. And let the software figure out the paths.
| That
| seems pointless and stupid, especially as it's unnecessary in practice.
Perhaps you now see why it isn't.
kre