On Wed, Aug 07, 2013 at 01:58:42PM +1000, Rod Whitworth wrote: > I logged in to an OpenBGPd router which I maintain remotely as I needed to > check something from dmesg. > > The command "dmesg|less" resulted in 150 lines, none of which was what I > expected to see. > > Here are some samples: > cannot forward src fe80:0005::0420:77e7:f6bf:3550, dst 2406:a000::0006:0d08, > nxt 6, rcvif sis0, outif vr1 > cannot forward src fe80:0005::92f6:52ff:fe02:4734, dst 2406:a000::0005, nxt > 17, rcvif sis0, outif vr1 > cannot forward src fe80:0005::0420:77e7:f6bf:3550, dst 2406:a000::0006:0d08, > nxt 17, rcvif sis0, outif vr1 > cannot forward src fe80:0005::0224:21ff:fe29:eaca, dst 2406:a000::0005, nxt > 17, rcvif sis0, outif vr1 > > The link-local address of the rcvif is inet6 fe80::200:24ff:feca:3ad4%sis0 > prefixlen 64 scopeid 0x5 > so it isn't involved. > > Furthermore the bgpd.conf ends with: > deny from any prefix fe80::/10 prefixlen >= 10 # link local unicast > deny from any prefix fec0::/10 prefixlen >= 10 # old site local > unicast > deny from any prefix ff00::/8 prefixlen >= 8 # multicast > #EOF > > Simple(?) question first: Why is traffic coming via a transit provider > getting past the link-local filter rule? > > Secondly what do the "nxt 6" and "nxt 17" mean? >
This is from the network stack, it does not mean that bgpd added routes for this. For that you should check bgpctl show rib, bgpctl show fib and route(8) output. The problem here is that somebody on sis0 is sending you packets using link local addresses as source IP to a global IP as destination. This is not allowed since there is no way to send packets back. So if sis0 is upstream then something is seriously wrong on that upstream. <neccessary IPv6 rant> All went to shit when they added link local addressing to IPv6 in the ivory tower. All this because DHCP was considered bad. So we ended up with this mess that is worse by at least 50dB. </rant> -- :wq Claudio
