My favorites | Sign in
Project Home Downloads Wiki Issues Source
Summary   People
Project Information
Members
Featured
Downloads
Links

npd6 - Neighbor Proxy Daemon IPv6

A Linux daemon to provide a proxy service for IPv6 Neighbor Solcitations received by a gateway routing device.

Update 28 Feb 2012: After a pause to change jobs (damn work gets in the way of fun stuff) I'm now getting back to npd6. Clearing the (modest!) bugs which have queued up and generally tweaking a bit. New version by mid-March at very latest, hopefully before.

See http://www.ipsidixit.net/2011/06/08/ipv6-neighbor-proxy-daemon-npd6/

Background

IPv6 is, finally, becoming a reality. The standards and a lot of software has been around for many years now (all major OSs have had IPv6 support for ages) but now it's appearing in the enterprise and home.

My ISP (free.fr - a major ISP in France) offers a full IPv6 service to all ADSL subscribers. They allocate a 64-bit IPv6 prefix and let you use it as you wish.

Like many, I use a Linux server/router/firewall box as the hub of my home network. It has two network connections: one to the Internet (the ISP) and the other to all the many and varied devices we use at home.

Let's call my ISP-assigned 64-bit prefix P. And let's call the devices inside my network S1, S2, etc. When there's a connection coming in from the Internet for, say <P+S1>, the ISP knows from the prefix part that it's potentially sitting behind my line (Where else could it be?) But rather than simply forward anything with my fixed prefix to me regardless (which I wish they would!) they insist we go through the sequence of

  • they send me a Neighbor Solicitation for P+S1
  • my gateway must respond with a Neighbor Advertisement

Until this has taken place, the traffic will not flow. Of course this system is not entirely without merit for the subscriber: it allows me to offload protection from DOS attacks, for example, to my ISP.

Linux IPv6

There's a big, gaping, glaring hole in Linux's IPv6 support, at least as it relates to this sort of situation. For a Linux device acting as a router (as a gateway does by definition) before it will respond to Neighbor Solicitations for inside-devices, they must be statically configured into the box. And that's really not nice! Why?

  1. Typically, IPv6 addresses will be allocated by devices in an entirely non-static way. So knowing what addresses are in use in your private net is a non-trivial task to start with.
  2. Configuring them in is fiddly, and a maintenance nightmare.
  3. It doesn't scale. If you had a couple of IPv6 devices in the home-net, well maybe. But what happens when you have a few dozen? And their addresses change? And you have guest devices appearing and disappearing?
  4. Linux support is still primitive, even for a static config. For example, you can configure IPv6 addresses for which we must act as a Neighbor Proxy, but, currently, you cannot inspect them to check. (No one believes this when they first hear it...)

Solution

What such a situation needs is, at its simplest, the gateway device to act as a simple proxy, answering Neighbor Solicitations for (potentially) any address with the assigned 64-bit prefix. In the simplest form I want my gateway, if it receives a Neighbor Solicitation for any address that starts with the prefix, to reply with a Neighbor Advertisement, irrespective of whether or not that device actually exists on my net: let the traffic arrive and have normal routing mechanisms decide if they can actually forward it.

And thus npd6 was born. There's more to it, of course, than that simple description. But, in essence, that's what npd6 does - answer Neighbor Solicitations for (potentially) any address with a defined prefix with a Neighbor Advertisement.

Key features

At the time of writing, npd6 is in a fairly advanced, usable state. Key aspects and features include:

  • Extensive optional debug output.
  • Very low usage of CPU and memory.
  • Logging to a file, or stdout/stderr or via syslog.
  • Ability to log a record of targets received.
  • Config via a text file.
  • Blacklisting or whitelisting if required.
  • and more...

If folks out there would like to make use of it, do tell me how you get on. Report the bugs. Ask for features. Tell me how to make it better. Even if you're not a coder, I want to hear from you. And of course if you are a coder... submit those patches!

Powered by Google Project Hosting