Subject: bridged IPv6 packets rewritten with embedded scope IDs
To: None <tech-net@netbsd.org>
From: David Young <dyoung@pobox.com>
List: tech-net
Date: 03/22/2006 22:30:39
In NetBSD, the 802.11 hostap bridge has started inserting scope IDs into
link-local IPv6 addresses before retransmission. The ICMP6 checksum on
the repeated packet is wrong. A bridge shouldn't be rewriting packets,
anyway.
I suspect this is fallout from recent changes to scope-ID embedding.
ip6_input does not take sufficient care to avoid writing to unwriteable
mbufs such as the shallow mbuf copy produced by the AP bridging code.
In particular, it does not call m_makewritable before embedding scope
IDs in the source and destination addresses with in6_setscope.
This packet trace illustrates the problem:
Packet received by AP:
13:05:19.170044 00:02:6f:20:f6:2e > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 70: fe80::202:6fff:fe20:f62e > ff02::1: [icmp6 sum ok] icmp6: echo request seq 1539 (len 16, hlim 64)
Repeated packet---notice the destination turned from ff02::1 to ff02:5::1:
13:05:19.170429 00:02:6f:20:f6:2e > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 70: fe80:5::202:6fff:fe20:f62e > ff02:5::1: [bad icmp6 cksum f5ff!] icmp6: echo request seq 1539 (len 16, hlim 64)
AP's reply:
13:05:19.170562 xx:yy:zz:20:44:12 > 00:02:6f:20:f6:2e, ethertype IPv6 (0x86dd), length 70: fe80::250:43ff:fe20:4412 > fe80::202:6fff:fe20:f62e: [icmp6 sum ok] icmp6: echo reply seq 1539 (len 16, hlim 64)
Dave
--
David Young OJC Technologies
dyoung@ojctech.com Urbana, IL * (217) 278-3933