Mailing List Archive

David Farmer wrote:
> Also, in theory a link-local address could talk to a GUA or ULA address
> on the same link. However, in practices does this really happen? If it
> does happen in practice what are circumstances?

will that packet not be dropped because a LL ipv6 packet won't be
routed? (MUST NOT in whatever rfc).

Nick

### Do not reply below this line ###

---------------------------------------------------------------------------------
Goddess: Primal Chaos | July 24, 2017 | 18:51 +0100
---------------------------------------------------------------------------------

Dear player,
Thank you very much for contacting us by mail. As the language or region of your email can’t be automatically identified, we have to manually sort through each and every issue then send these on to the relevant GM.
- If you are able to log in to the game, we recommend you send a message to us in-game via Settings-Account-Help.
- If you can’t find your account, usually it means you’re using the wrong login method or server. Please confirm you’re using the same login method as before and have selected the correct server.
Please note that even if have bound to your Facebook or Google account, if you are using "Sign In" to login, please login exactly as previously since data is not exchanged between the three different login methods.
Please leave your correct server and character name (if you’re using any special symbols in your name, please ensure you’re continuing to do so) and we’ll check your login method as soon as possible for you to.
Thanks for your support and cooperation!


---------------------------------------------------------------------------------
Goddess: Primal Chaos | July 24, 2017 | 18:51 +0100
---------------------------------------------------------------------------------

Hi, thanks for contacting Customer Service. This is an automated reply, hope to help you solve common problems. Please tell me your server and character's name. Manual service will contact you as soon as possible! Thank you very much for the support and patience.

If you have a problem with recharge, please leave us the necessary information.
1. the name of the character(IGN)
2. the server
3. the number of your order
# via Google, we need the GPA.XXXX-XXXX-XXXX-XXXXX
#via Apple, we need the number from the receipt and also a screenshot that you take from the Itunes of your computer.
#other ways, please let us know the exact way of recharging and the number of it
4. the UID of this character (which you can see in the game, but if you cannot find it that will be fine )
We are really hope that we could help!

If you want to report a BUG, please try to tell us more details, such as related character names and servers. The most important is the exact time (better with hour and minute), so that we locate and check the problem more quickly. Thank you in advance.


---------------------------------------------------------------------------------
Nick Hilliard | July 24, 2017 | 18:51 +0100
---------------------------------------------------------------------------------

<strong>Link-local and ACLs</strong><br/><br/>David Farmer wrote:
> Also, in theory a link-local address could talk to a GUA or ULA address
> on the same link. However, in practices does this really happen? If it
> does happen in practice what are circumstances?

will that packet not be dropped because a LL ipv6 packet won't be
routed? (MUST NOT in whatever rfc).

Nick

Hi,
j
On Mon, Jul 24, 2017 at 12:46:04PM -0500, David Farmer wrote:
> In practice Neighbor Discovery, and other critical protocols, need
> link-local addresses to talk to other link-local addresses and some
> multicast addresses.
>
> Also, in theory a link-local address could talk to a GUA or ULA address on
> the same link. However, in practices does this really happen? If it does
> happen in practice what are circumstances?

"neighbor discovery"...

http://netcerts.net/ipv6-neighbor-discovery-protocol-ndp/

has details on "from what address to what address" for all the ICMPv6
types.

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Hi,

On Mon, Jul 24, 2017 at 06:50:57PM +0100, Nick Hilliard wrote:
> David Farmer wrote:
> > Also, in theory a link-local address could talk to a GUA or ULA address
> > on the same link. However, in practices does this really happen? If it
> > does happen in practice what are circumstances?
>
> will that packet not be dropped because a LL ipv6 packet won't be
> routed? (MUST NOT in whatever rfc).

"on the same link"?

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

### Do not reply below this line ###

---------------------------------------------------------------------------------
Goddess: Primal Chaos | July 24, 2017 | 19:59 +0200
---------------------------------------------------------------------------------

Dear player,
Thank you very much for contacting us by mail. As the language or region of your email can’t be automatically identified, we have to manually sort through each and every issue then send these on to the relevant GM.
- If you are able to log in to the game, we recommend you send a message to us in-game via Settings-Account-Help.
- If you can’t find your account, usually it means you’re using the wrong login method or server. Please confirm you’re using the same login method as before and have selected the correct server.
Please note that even if have bound to your Facebook or Google account, if you are using "Sign In" to login, please login exactly as previously since data is not exchanged between the three different login methods.
Please leave your correct server and character name (if you’re using any special symbols in your name, please ensure you’re continuing to do so) and we’ll check your login method as soon as possible for you to.
Thanks for your support and cooperation!


---------------------------------------------------------------------------------
Goddess: Primal Chaos | July 24, 2017 | 19:59 +0200
---------------------------------------------------------------------------------

Hi, thanks for contacting Customer Service. This is an automated reply, hope to help you solve common problems. Please tell me your server and character's name. Manual service will contact you as soon as possible! Thank you very much for the support and patience.

If you have a problem with recharge, please leave us the necessary information.
1. the name of the character(IGN)
2. the server
3. the number of your order
# via Google, we need the GPA.XXXX-XXXX-XXXX-XXXXX
#via Apple, we need the number from the receipt and also a screenshot that you take from the Itunes of your computer.
#other ways, please let us know the exact way of recharging and the number of it
4. the UID of this character (which you can see in the game, but if you cannot find it that will be fine )
We are really hope that we could help!

If you want to report a BUG, please try to tell us more details, such as related character names and servers. The most important is the exact time (better with hour and minute), so that we locate and check the problem more quickly. Thank you in advance.


---------------------------------------------------------------------------------
Gert Doering | July 24, 2017 | 19:59 +0200
---------------------------------------------------------------------------------

<strong>Link-local and ACLs</strong><br/><br/>Hi,
j
On Mon, Jul 24, 2017 at 12:46:04PM -0500, David Farmer wrote:
> In practice Neighbor Discovery, and other critical protocols, need
> link-local addresses to talk to other link-local addresses and some
> multicast addresses.
>
> Also, in theory a link-local address could talk to a GUA or ULA address on
> the same link. However, in practices does this really happen? If it does
> happen in practice what are circumstances?

"neighbor discovery"...

http://netcerts.net/ipv6-neighbor-discovery-protocol-ndp/

has details on "from what address to what address" for all the ICMPv6
types.

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

On Mon, Jul 24, 2017 at 05:51:37PM +0000, Goddess: Primal Chaos wrote:
> ### Do not reply below this line ###
>
> ---------------------------------------------------------------------------------
> Goddess: Primal Chaos | July 24, 2017 | 18:51 +0100
> ---------------------------------------------------------------------------------
>
> Dear player,

This has been remedied. You should see no further auto-replies from
them.


Best regards,
Daniel (list admin)

On Mon, Jul 24, 2017 at 12:46 PM, David Farmer <farmer@umn.edu> wrote:

> In practice Neighbor Discovery, and other critical protocols, need
> link-local addresses to talk to other link-local addresses and some
> multicast addresses.
>
> Also, in theory a link-local address could talk to a GUA or ULA address on
> the same link. However, in practices does this really happen? If it does
> happen in practice what are circumstances?
>
> Thanks
>
> --
> ===============================================
> David Farmer Email:farmer@umn.edu
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE Phone: 612-626-0815 <(612)%20626-0815>
> Minneapolis, MN 55414-3029 Cell: 612-812-9952 <(612)%20812-9952>
> ===============================================
>


Not quite 100% related, but I had an upstream provider put an artisanal
handcrafted IPv6 BCP38 ACL that didn't allow link-locals to talk to the
multicast range (or to the GUA on-link address possibly) on a port, and it
caused problems after a reboot I believe only. Things were able to keep
working for quite a while if I recall.


Theodore Baschak - AS395089 - Hextet Systems
https://bgp.guru/ - https://hextet.net/
http://mbix.ca/ - http://mbnog.ca/

Gert Doering wrote:
> "on the same link"?

return traffic. Not much good in having unidirectional data flow.

Nick

Hi,

On Mon, Jul 24, 2017 at 08:56:41PM +0100, Nick Hilliard wrote:
> Gert Doering wrote:
> > "on the same link"?
>
> return traffic. Not much good in having unidirectional data flow.

Even return traffic "on the same link" shouldn't be subject to "packets
with fe80 sources MUST NOT be routed"...

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

On 25/07/2017 05:46, David Farmer wrote:
> In practice Neighbor Discovery, and other critical protocols, need
> link-local addresses to talk to other link-local addresses and some
> multicast addresses.
>
> Also, in theory a link-local address could talk to a GUA or ULA address on
> the same link. However, in practices does this really happen? If it does
> happen in practice what are circumstances?

I assume you mean a case where the global scope address matches an
on-link prefix? Otherwise the packet is doomed anyway, since no
conforming router will forward it off-link. That doesn't need an ACL.

Also you must mean a case where RFC6724 is overridden, since otherwise
source address selection will prevent it happening (see the examples
in RFC6724 section 10).

So, I'm not aware of any realistic case where this happens, or any
reason for it. Or any harm that it would do, for an on-link prefix.

Brian

* Brian E Carpenter

> So, I'm not aware of any realistic case where this happens, or any
> reason for it.

As Gert already pointed out: Neighbour Discovery.

A few examples from an IX near me:

23:06:11.020045 In IP6 fe80::8678:acff:fe66:80db > 2001:7f8:12:1::3:9029: ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32
23:06:11.563763 In IP6 fe80::aa0c:dff:fe71:5768 > 2001:7f8:12:1::3:9029: ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32
23:06:29.958824 In IP6 fe80::92e2:baff:fe3f:7665 > 2001:7f8:12:1::3:9029: ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32
23:06:34.239488 In IP6 fe80::523d:e5ff:fe89:4ec4 > 2001:7f8:12:1::3:9029: ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32
23:06:45.177659 In IP6 fe80::2c1:64ff:fe60:380 > 2001:7f8:12:1::3:9029: ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32

Tore

On Mon, Jul 24, 2017 at 3:42 PM, Brian E Carpenter <
brian.e.carpenter@gmail.com> wrote:

> On 25/07/2017 05:46, David Farmer wrote:
> > In practice Neighbor Discovery, and other critical protocols, need
> > link-local addresses to talk to other link-local addresses and some
> > multicast addresses.
> >
> > Also, in theory a link-local address could talk to a GUA or ULA address
> on
> > the same link. However, in practices does this really happen? If it does
> > happen in practice what are circumstances?
>
> I assume you mean a case where the global scope address matches an
> on-link prefix? Otherwise the packet is doomed anyway, since no
> conforming router will forward it off-link. That doesn't need an ACL.
>
> Also you must mean a case where RFC6724 is overridden, since otherwise
> source address selection will prevent it happening (see the examples
> in RFC6724 section 10).
>
> So, I'm not aware of any realistic case where this happens, or any
> reason for it. Or any harm that it would do, for an on-link prefix.
>
> Brian
>

So, the nice summary in the link Gert sent, says;

Neighbor Solicitation (NS) Message

NS is ICMPv6 Type 135 and Code 0
Source address of the IPv6 Packet encapsulating the NS can be one of the two
1. IPv6 address of the originating interface
2. Unspecified address ::/0 (All Zeros) if the NS is sent for Duplicate
Address Detection
The destination address of NS can be one of the two
1. Solicited-Node Multicast Address corresponding to the the target address
2. The Target address itself
note: Target address is the IPv6 address of the target of the solicitation
and is never a multicast address.
Options Field of the NS can contain the link-layer address of the interface
originating the NS

I think that means the Target address, and therefore the destination
address of the packet, could be a Link-Local, GUA, or ULA address, and the
source of the packet could be a Link-local address. When would a Neighbor
Solicitations not using the Solicited-Node Multicast Address normally
occur?

Thanks.



--
===============================================
David Farmer Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815 <(612)%20626-0815>
Minneapolis, MN 55414-3029 Cell: 612-812-9952 <(612)%20812-9952>
===============================================

* David Farmer

> I think that means the Target address, and therefore the destination
> address of the packet, could be a Link-Local, GUA, or ULA address,
> and the source of the packet could be a Link-local address.

The source address could very well be GUA or ULA, too:

«If the source address of the packet prompting the solicitation is the
same as one of the addresses assigned to the outgoing interface, that
address SHOULD be placed in the IP Source Address of the outgoing
solicitation.»

https://tools.ietf.org/html/rfc4861#section-7.2.2

> When would a Neighbor Solicitations not using the Solicited-Node
> Multicast Address normally occur?

During NUD, at least:

«Upon entering the PROBE state, a node sends a unicast Neighbor
Solicitation message to the neighbor using the cached link-layer address.»

https://tools.ietf.org/html/rfc4861#section-7.3.3

Tore

On 25/07/2017 09:10, Tore Anderson wrote:
> * Brian E Carpenter
>
>> So, I'm not aware of any realistic case where this happens, or any
>> reason for it.
>
> As Gert already pointed out: Neighbour Discovery.

Well yes, like ARP. But that's the exception that proves the
rule - you do it when that is really what you mean *and*
the target address is within an on-link prefix.

I can do it too, even from Windows:

ping -n 100 -S fe80::c0de:dead:beef:768e%11 2001:df0:0:2006:c0de:beef:dead:be83

Those addresses are obfuscated, but you get the idea, and
I see the ICMPv6 packets with Wireshark, but get no replies.

Why would you ever do it for normal traffic? And why
would ACLs be relevant for on-link traffic?

Brian

>
> A few examples from an IX near me:
>
> 23:06:11.020045 In IP6 fe80::8678:acff:fe66:80db > 2001:7f8:12:1::3:9029: ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32
> 23:06:11.563763 In IP6 fe80::aa0c:dff:fe71:5768 > 2001:7f8:12:1::3:9029: ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32
> 23:06:29.958824 In IP6 fe80::92e2:baff:fe3f:7665 > 2001:7f8:12:1::3:9029: ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32
> 23:06:34.239488 In IP6 fe80::523d:e5ff:fe89:4ec4 > 2001:7f8:12:1::3:9029: ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32
> 23:06:45.177659 In IP6 fe80::2c1:64ff:fe60:380 > 2001:7f8:12:1::3:9029: ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32
>
> Tore
> .
>

Hi,

On Mon, Jul 24, 2017 at 04:36:17PM -0500, David Farmer wrote:
> I think that means the Target address, and therefore the destination
> address of the packet, could be a Link-Local, GUA, or ULA address, and the
> source of the packet could be a Link-local address. When would a Neighbor
> Solicitations not using the Solicited-Node Multicast Address normally
> occur?

unicast refresh, as in "are you still there?", sending to a node that
is about to expire from ND cache

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Hi,

On Tue, Jul 25, 2017 at 10:41:06AM +1200, Brian E Carpenter wrote:
> Why would you ever do it for normal traffic?

I'm not sure that was a question asked in this thread :-)

> And why would ACLs be relevant for on-link traffic?

Interface ACLs are relevant for all packets leaving or entering an
interface, generally...

So, to stay with Tore's example, if you want to make NDP work on an IXP,
you need to permit fe80->fe80, fe80->GUA, etc. in your ACLs - which ends
up needing quite a number of lines to cover all cases

#sh access-lists ipv6 internet-ipv6-in | inc icmp
20 permit icmpv6 fe80::/64 2001:7f8::/64 135 0
30 permit icmpv6 2001:7f8::/64 2001:7f8::/64 135 0 ttl eq 255
40 permit icmpv6 2001:7f8::/64 2001:7f8::/64 136 0 ttl eq 255
50 permit icmpv6 any ff02::/64 135 0
60 permit icmpv6 fe80::/64 fe80::/64 135 0
70 permit icmpv6 any fe80::/64 135 0
80 permit icmpv6 any fe80::/64 136 0
90 permit icmpv6 any host ff02::1 136 0
100 deny icmpv6 any any 135 log
110 deny icmpv6 any any 136 log

(Example for DECIX which uses 2001:7f8::/64 on-link)

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

On 25/07/2017 19:07, Gert Doering wrote:
> Hi,
>
> On Tue, Jul 25, 2017 at 10:41:06AM +1200, Brian E Carpenter wrote:
>> Why would you ever do it for normal traffic?
>
> I'm not sure that was a question asked in this thread :-)
>
>> And why would ACLs be relevant for on-link traffic?
>
> Interface ACLs are relevant for all packets leaving or entering an
> interface, generally...

Yes, but why are they relevant except for routers? I didn't see
anything in the original message that limited its scope to routers.
Most nodes aren't routers. I don't expect to see ACLs on normal
hosts.

> So, to stay with Tore's example, if you want to make NDP work on an IXP,
> you need to permit fe80->fe80, fe80->GUA, etc. in your ACLs - which ends
> up needing quite a number of lines to cover all cases

Fair enough. IXPs are a bit of a special case, though.

Brian

>
> #sh access-lists ipv6 internet-ipv6-in | inc icmp
> 20 permit icmpv6 fe80::/64 2001:7f8::/64 135 0
> 30 permit icmpv6 2001:7f8::/64 2001:7f8::/64 135 0 ttl eq 255
> 40 permit icmpv6 2001:7f8::/64 2001:7f8::/64 136 0 ttl eq 255
> 50 permit icmpv6 any ff02::/64 135 0
> 60 permit icmpv6 fe80::/64 fe80::/64 135 0
> 70 permit icmpv6 any fe80::/64 135 0
> 80 permit icmpv6 any fe80::/64 136 0
> 90 permit icmpv6 any host ff02::1 136 0
> 100 deny icmpv6 any any 135 log
> 110 deny icmpv6 any any 136 log
>
> (Example for DECIX which uses 2001:7f8::/64 on-link)
>
> Gert Doering
> -- NetMaster
>

Hi,

Thus wrote David Farmer (farmer@umn.edu):

> In practice Neighbor Discovery, and other critical protocols, need
> link-local addresses to talk to other link-local addresses and some
> multicast addresses.
>
> Also, in theory a link-local address could talk to a GUA or ULA address on
> the same link. However, in practices does this really happen? If it does
> happen in practice what are circumstances?

a) be logged in to a system only having a link-local address
b) access a service you know to be on-link by DNS name

I expect that to work. I'm not sure what you win by preventing it from
working.

I usually try to have "same link, same administration", so we may have
differing expectations on the trustworthiness of what is reachable via
link-local. Also, "if it doesn't have a routable address its attack
surface is drastically smaller".

regards,
spz
--
spz@serpens.de (S.P.Zeidler)

Hi,

On Wed, Jul 26, 2017 at 08:48:43AM +1200, Brian E Carpenter wrote:
> >> And why would ACLs be relevant for on-link traffic?
> >
> > Interface ACLs are relevant for all packets leaving or entering an
> > interface, generally...
>
> Yes, but why are they relevant except for routers? I didn't see
> anything in the original message that limited its scope to routers.
> Most nodes aren't routers. I don't expect to see ACLs on normal
> hosts.

All my hosts that are in some way Internet exposed have ACLs of
some sort - call it "Windows firewall" or "FreeBSD pf(4)".

Usually these implicitly understand what is needed to make ND work,
but I've heard more than once about cases where Linux people blocked
"everything on input except tcp/80" with ip6tables, killing ND in the
process -> bam, machine fell of the net, IPv6 gone.

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Brian E Carpenter wrote:
> On 25/07/2017 19:07, Gert Doering wrote:
> > So, to stay with Tore's example, if you want to make NDP work on an IXP,
> > you need to permit fe80->fe80, fe80->GUA, etc. in your ACLs - which ends
> > up needing quite a number of lines to cover all cases
>
> Fair enough. IXPs are a bit of a special case, though.

sorta and sorta not. An ACL appropriate for an IXP would provide a
template to cover pretty much most use cases, which would then be
directly relevant to other specific cases like having a point-to-point
connection between router A and router B and so forth.

Nick