Subject: bridged IPv6 packets rewritten with embedded scope IDs
To: None <tech-net@netbsd.org>
From: David Young <dyoung@pobox.com>
List: tech-net
Date: 03/22/2006 22:30:39
In NetBSD, the 802.11 hostap bridge has started inserting scope IDs into
link-local IPv6 addresses before retransmission.  The ICMP6 checksum on
the repeated packet is wrong.  A bridge shouldn't be rewriting packets,
anyway.

I suspect this is fallout from recent changes to scope-ID embedding.
ip6_input does not take sufficient care to avoid writing to unwriteable
mbufs such as the shallow mbuf copy produced by the AP bridging code.
In particular, it does not call m_makewritable before embedding scope
IDs in the source and destination addresses with in6_setscope.

This packet trace illustrates the problem:

Packet received by AP:

13:05:19.170044 00:02:6f:20:f6:2e > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 70: fe80::202:6fff:fe20:f62e > ff02::1: [icmp6 sum ok] icmp6: echo request seq 1539 (len 16, hlim 64)

Repeated packet---notice the destination turned from ff02::1 to ff02:5::1:

13:05:19.170429 00:02:6f:20:f6:2e > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 70: fe80:5::202:6fff:fe20:f62e > ff02:5::1: [bad icmp6 cksum f5ff!] icmp6: echo request seq 1539 (len 16, hlim 64)

AP's reply:

13:05:19.170562 xx:yy:zz:20:44:12 > 00:02:6f:20:f6:2e, ethertype IPv6 (0x86dd), length 70: fe80::250:43ff:fe20:4412 > fe80::202:6fff:fe20:f62e: [icmp6 sum ok] icmp6: echo reply seq 1539 (len 16, hlim 64)

Dave

-- 
David Young             OJC Technologies
dyoung@ojctech.com      Urbana, IL * (217) 278-3933