Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IPv6 RS & NS packets (ICMPv6 type 133 & 135) create a loop in L2 MC-LAG scenario #1253

Closed
pliviu opened this issue Feb 3, 2023 · 6 comments
Closed

IPv6 RS & NS packets (ICMPv6 type 133 & 135) create a loop in L2 MC-LAG scenario #1253

pliviu opened this issue Feb 3, 2023 · 6 comments

Comments

@pliviu
Copy link

pliviu commented Feb 3, 2023
edited
Loading

Problem Summary:
A loop is created when an ICMPv6 router solicitation or neighbor solicitation packet is sent on an mclag L2 link (see the diagram attached).

Note:
Although the isolation group on Switch 2 / SONiC includes interface PO1, the v6 packet is sent back by Switch 2 / SONiC to L2 switch and create a loop (L2 switch sees on interface PO1 the exact same packet he sent). All the IPv4 broadcasts like ARPs are not sent back on PO1, only ICMPv6 router solicitation or neighbor solicitation packets.

Workaround:
Remove neigh_discovery from COPP_TRAP in /etc/sonic/copp_cfg.json. Apparently neigh_discovery packets are "copied" and that somehow bypass isolation group in L2 MC-LAG scenarios. There is no issue with IPv4 ARP packets.

        "arp": {
                "trap_ids": "arp_req,arp_resp,neigh_discovery",
                "trap_group": "queue4_group2",
                "always_enabled": "true"
        },
        
                    "queue4_group2": {
                "trap_action":"copy", <<<<<<<<<<< here

Diagram:
v6loop_topology
@venkatmahalingam
Copy link
Collaborator

@pliviu A loop is created when an ICMPv6 router solicitation or neighbor solicitation packet is sent on an mclag L2 link
Is this loop created due to ICMPv6 packets forwarding via L2 MC-LAG in kernel?

@pliviu
Copy link
Author

pliviu commented Feb 3, 2023
edited
Loading

I think so, because i see those ICMPv6 packets in kernel ... and because they are in kernel bypass isolation groups from asic (at least this is my assumption).

@pliviu pliviu mentioned this issue Feb 3, 2023
Merged
@venkatmahalingam
Copy link
Collaborator

venkatmahalingam commented Feb 3, 2023
edited
Loading

The above PR looks good to me, I believe, we just need to add ip6tables rules in the kernel to prevent forwarding the ICMP6 packets that are meant for CPU only.

@pliviu
Copy link
Author

pliviu commented Feb 3, 2023
edited
Loading

I'll give it a try and come back with a feedback:
sudo /sbin/ebtables -t filter -A FORWARD -p IPV6 --ip6-protocol ipv6-icmp --ip6-icmp-type 133:136/0 -j DROP
sudo /sbin/ebtables -A FORWARD -p 802_1Q --vlan-encap IPv6 -j DROP

@pliviu
Copy link
Author

pliviu commented Feb 3, 2023

Yes, the issue is solved with this rule only:
sudo /sbin/ebtables -A FORWARD -p 802_1Q --vlan-encap IPv6 -j DROP

@venkatmahalingam
Copy link
Collaborator

venkatmahalingam commented Feb 3, 2023
edited
Loading

Cool, forgot to mention about ebtables, the bridge/VLAN level forwarding should be controlled with ebtables only. Make sure we dont have any use-case for soft forwarding ICMPv6 packets at the kernel level especially a case with SONiC as VM instance.

@pliviu pliviu closed this as completed Feb 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pliviu @venkatmahalingam