Page MenuHomeVyOS Platform

Support NDP proxy
In progress, NormalPublicFEATURE REQUEST

Description

During the test of ipv6 nat66 (NPT), a problem was discovered, that is, the prefix conversion is expected behavior, but the upstream cannot reply from its interface. The root cause is that vyos cannot respond to the NDP query request of the translated prefix. To support stateless NAT66 (NPT), it is necessary to support NDP proxy function.
The ndp proxy relies on the ndppd package to achieve

Nptv6 of Vyos 1.2 has the same problem

a)

Here are some examples

set  service proxy-ndp interface <interface> prefix <prefix> mode static  # vyos defaults to static. valid values: "auto","static", and "iface"
set  service proxy-ndp interface <interface> prefix <prefix> iface <interface>  # Specify when the free mode is iface
set service proxy-ndp interface <interface> timeout 500 # Controls how long ndppd will wait for a Neighbor Advertisement message after forwarding a Neighbor Solicitation message according to the rule. This is in milliseconds, and the default value is 500
set service proxy-ndp interface <interface> ttl 30000 # This is in milliseconds, and the default value is 30000 (30 seconds)
set service proxy-ndp interface <interface> router <yes|no> # Controls if ndppd should send the router bit when sending Neighbor Advertisement messages. The default value here is yes.

b)

Here are some examples

set  interface ethernet <interface> ipv6 proxy-ndp prefix <prefix> mode static  # vyos defaults to static. valid values: "auto","static", and "iface"
set  interface ethernet <interface> ipv6 proxy-ndp prefix <prefix> iface <interface>  # Specify when the free mode is iface
set interface ethernet <interface> ipv6 proxy-ndp timeout 500 # Controls how long ndppd will wait for a Neighbor Advertisement message after forwarding a Neighbor Solicitation message according to the rule. This is in milliseconds, and the default value is 500
set interface ethernet <interface> ipv6 proxy-ndp ttl 30000 # This is in milliseconds, and the default value is 30000 (30 seconds)
set interface ethernet <interface> ipv6 proxy-ndp router <yes|no> # Controls if ndppd should send the router bit when sending Neighbor Advertisement messages. The default value here is yes.

Decided to choose a plan

Document: https://manpages.debian.org/buster/ndppd/ndppd.conf.5.en.html

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Related Objects

StatusSubtypeAssignedTask
In progressFEATURE REQUESTjack9603301
In progressFEATURE REQUESTjack9603301

Event Timeline

jack9603301 added a comment.EditedSep 19 2020, 5:29 AM

Beeing stateless or statefull both should work. We can add a CLI node for the proxy.ndp option like we have for proxy arp on ipv4, no big deal.

In T2518, you mentioned arp proxy, I want to know where the cli node is implemented?

jack9603301 updated the task description. (Show Details)
jack9603301 triaged this task as Normal priority.
c-po added a comment.EditedSep 19 2020, 6:57 AM

set interfaces ethernet eth0 ip proxy-arp. Isn‘t the Kernel sysctl interface enough? Do we really need a daemon?

jack9603301 added a comment.EditedSep 19 2020, 7:15 AM

I think we do need it, we can’t let users manage all IP manually unless we implement stateful NAT66

Otherwise we may need to manually perform the following operations

sysctl -w net.ipv6.conf.all.proxy_ndp=1
sudo ip -6 neigh add proxy 2001:xxxx:16:24::e686:9490 dev eth3

Please see T2518#75584

set interfaces ethernet eth0 ip proxy-arp

The more suitable position may be set protocol ndp-proxy

I can't find how to enable ipv6 connection tracking. Recompiling and modifying the linux kernel switch does not seem to see the module loaded. I think the current nat66 has completed 90%, and only need to implement ndp proxy to make it work normally.

vyos 1.2 seems to have the same problem

jack9603301 updated the task description. (Show Details)Sep 19 2020, 7:21 AM
jack9603301 changed the task status from Open to In progress.Sep 19 2020, 9:39 AM
jack9603301 updated the task description. (Show Details)
jack9603301 updated the task description. (Show Details)Sep 19 2020, 1:34 PM

set interfaces ethernet eth0 ip proxy-arp

The more suitable position may be set protocol ndp-proxy

I...really would like to not put it under "protocols" but to put it under the interface. It's *much* easier and more intuitive to see it under the interface/sub-interface than to see it in its' own stanza under "protocol" node.

Also, I'd argue it would be reasonable to separate ARP proxy and NDP proxy. That way one can pick and choose. Of course ARP proxy can't work without an IP address configured. NDP proxy can't be configured without an IPv6 address configured (those could be used as checks against configuring it on an empty interface).

If possible, give your suggested cli path for my reference

set interfaces ethernet eth0 ip proxy-arp

The more suitable position may be set protocol ndp-proxy

I...really would like to not put it under "protocols" but to put it under the interface. It's *much* easier and more intuitive to see it under the interface/sub-interface than to see it in its' own stanza under "protocol" node.

Also, I'd argue it would be reasonable to separate ARP proxy and NDP proxy. That way one can pick and choose. Of course ARP proxy can't work without an IP address configured. NDP proxy can't be configured without an IPv6 address configured (those could be used as checks against configuring it on an empty interface).

Do you recommend the following method? @c-po seems to recommend this too:

set interfaces ethernet eth0 ipv6 proxy-ndp rules <rule> auto

Although I intended to think that it is easier to write scripts under the protocol, but from an intuitive point of view, it seems that this path is also a good choice (users can use the same command line as the arp proxy to configure) I have written it A sample, then only need to decide how to modify the cli

No arp proxy option is found in the configuration path, ndp proxy can manage multiple address rules under one interface

vyos@vyos# set interfaces ethernet eth0 ip 
Possible completions:
   arp-cache-timeout
                ARP cache entry timeout in seconds
   disable-arp-filter
                Disable ARP filter on this interface
   enable-arp-accept
                Enable ARP accept on this interface
   enable-arp-announce
                Enable ARP announce on this interface
   enable-arp-ignore
                Enable ARP ignore on this interface
   enable-proxy-arp
                Enable proxy-arp on this interface
 > ospf         Open Shortest Path First (OSPF) parameters
   proxy-arp-pvlan
                Enable private VLAN proxy ARP on this interface
 > rip          Routing Information Protocol (RIP)
   source-validation
                Policy for source validation by reversed path, as specified in RFC3704
jack9603301 updated the task description. (Show Details)Sep 19 2020, 5:50 PM
jack9603301 updated the task description. (Show Details)

@Cheeze_It

I also take into account the specific situation of the ndp proxy, the configuration of this link prompts, the configuration format of the ndp proxy is like this.

https://manpages.debian.org/buster/ndppd/ndppd.conf.5.en.html

@Cheeze_It

I also take into account the specific situation of the ndp proxy, the configuration of this link prompts, the configuration format of the ndp proxy is like this.

https://manpages.debian.org/buster/ndppd/ndppd.conf.5.en.html

I'll be honest I personally don't have much of a problem on where it's put. I was just more referencing on how I remember it being configured on Junos.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/proxy-arp.html
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/ndp-dad-proxy.html

If the decision is made to put it under protocols, I'm ok with it. I was just trying to keep it consistent with a system that's already in place...

jack9603301 added a comment.EditedSep 20 2020, 3:19 AM

@c-po If I want to be an interface-ethernet.xml.in Add custom configuration actions (such as proxy NDP) with certain extensibility (its configuration can be extended in other places). What should I do?

jack9603301 updated the task description. (Show Details)Sep 21 2020, 5:58 AM
jack9603301 updated the task description. (Show Details)
jack9603301 updated the task description. (Show Details)Sep 21 2020, 6:41 AM
jack9603301 updated the task description. (Show Details)Sep 25 2020, 9:12 AM
jack9603301 added a comment.EditedSun, Sep 27, 4:26 PM

@c-po I am thinking about a problem. Placing proxy-ndp under the child node of interface may generate redundant implementation code and is intrusive. In fact, for proxy-ndp, only one configuration file is needed. Is this Reasonable? I don't even know how to fully test whether the intrusive code affects the basic functions of the router.

Write redundant and intrusive code for all interface types, which may introduce unknown errors (I can’t guarantee 100% accuracy without testing)

jack9603301 updated the task description. (Show Details)Mon, Sep 28, 3:39 AM
jack9603301 updated the task description. (Show Details)Mon, Sep 28, 9:15 AM
jack9603301 updated the task description. (Show Details)Mon, Sep 28, 2:02 PM
jack9603301 updated the task description. (Show Details)Tue, Sep 29, 5:12 PM
jack9603301 updated the task description. (Show Details)Tue, Sep 29, 6:27 PM
jack9603301 updated the task description. (Show Details)Wed, Sep 30, 1:31 PM

Already basically ready to merge

c-po added a comment.Thu, Oct 1, 8:06 PM

Still wondering why ndp-proxy can not be part of the nat66 tree.
When a NAT66 translation is added we know the prefix (src and dst), the in/out-bound interface - so another CLI option (ndp-proxy) could probably be added to not open up an additional service node.

Can you please help to clarify this need of an individual node for us?

jack9603301 added a comment.EditedFri, Oct 2, 2:22 AM

At this stage, I can't realize the automatic configuration of NDP proxy. On the other hand, although I don't know what additional application scenarios will be in addition to nat66, I hope to give full play to the full potential of NDP proxy, so I don't want to bind it to nat66 artificially.

After the nat66 merge is complete, I will add a switch to automatically generate and configure proxy-ndpwhen configuring nat66

I'm thinking about the possibility that this can support automatic configuration, but if users need to, they can also manually configure it independently instead of binding to nat66

There seems to be a separate NDP proxy option, at least in other devices

Another advantage of this is that I can continue to explore whether vyos1.2 only needs an NDP proxy. If so, then the NDP proxy can be artificially enabled to enable nptv6 to work (but I did not find that there is a real conversion from vyos1.2 to NPT from the packet capture)