NDRD(8) System Manager's Manual NDRD(8)
NAME
ndrd Neighbor Discovery (ND) reflector daemon
SYNOPSIS
ndrd [-dmv] wan_if lan_if
DESCRIPTION
ndrd listens for a Neighbor Solicitation (NS) packet destined to its
subnet and immediately replies to it by sending a neighbor advertisement
(NA) packet. So ndrd works like ND proxies (RFC 4389) but does not check
the host presence. Thus it is a reflector.
ndrd aims to provide global IPv6 reachability to hosts behind an in an
IPv6 (RA with /64) router without NAT66 translation, as in the following
diagram:
+------------+ +---------+ +------+
| | IPv6 Wan | | Lan | |
Internet --+ ISP Router +-----------------+ OpenBSD +------+ Host |
| | RA with /64 | | | |
+------------+ +---------+ +------+
Proper proxies check the presence of the host corresponding to the NS
target address by sending an NS packet from the LAN interface. If they
receive a reply NA packet, then they proxy it to the original sender.
On the other hand, when ndrd receives an NS packet arriving WAN
interface, it consults the routing table checking the destination
interface of the NS target address. If the destination interface matches
the LAN interface, then ndrd sends an NA packet to the sender of the NS
packet.
The options are as follows:
-d Do not daemonize. That is, ndrd runs in the foreground and logs
to stderr.
-m Run in monitor mode. That is, ndrd receives NS packets but does
not send NA packets.
-v Produce more verbose output.
EXAMPLES
In the following, em0 is the WAN interface and em1 is the LAN interface.
WAN interface configuration /etc/hostname.em0:
inet6 eui64
!route add -inet6 default fe80::1%em0
LAN interface configuration /etc/hostname.em1:
inet6 2001:db8::1 64
Router advertisement daemon (rad) configuration /etc/rad.conf:
interface em1
Finally, configure and run ndrd with routing.
# sysctl net.inet6.ip6.forwarding=1
# rcctl enable ndrd
# rcctl set ndrd flags em0 em1
# rcctl start ndrd
Add the following pf(4) rule to suppress cannot forward message (see
CAVEATS ).
block in on em0 inet6 proto ipv6-icmp from fe80::/10 \
to 2000::/3 icmp6-type neighbrsol
SEE ALSO
bpf(4), hostname.if(5), pf.conf(5)
STANDARDS
T. Narten, E. Nordmark, W. Simpson, and H. Soliman, Neighbor Discovery
for IP version 6 (IPv6), RFC 4861, September 2007.
AUTHORS
Toru Mano
CAVEATS
Your dmesg or /var/log/messages will be filled up the following messages:
cannot forward src fe80::1, dst 2001:db8::1, nxt 58, rcvif 1, outif 2
This is because ISP routers periodically send NS packets to unicast
ethernet addresses (not multicast ethernet addresses) to update NDP
tables. When ndrd receives these packets, it replies with NA packets as
usual. At the same time, OpenBSD kernel tries to forward these NS
packets to a LAN interface. These NS packets have link-local source
addresses and global unicast destination addresses. In this case, the
scope of the source address is smaller than that of the destination. So,
the kernel refuses to forward these packets and logs messages like above.
Also, the kernel sends ICMP6 destination unreachable error with code 2
(beyond the scope of source address) to ISP routers to tell the error.
ISP routers possibly confuse by receiving NA replies and unreachable
errors at the same time.
One way to avoid those issues is to block such packets by adding the
following rule to pf.conf(5):
block in on em0 inet6 proto ipv6-icmp from fe80::/10 \
to 2000::/3 icmp6-type neighbrsol
Note this configuration does not affect ndrd behavior because ndrd uses
bpf(4) to receive packets, and bpf(4) works before pf(4).
OpenBSD 7.5 October 30, 2021 OpenBSD 7.5make
doas make install- OpenBSD amd64 7.0 or later
- FreeBSD kernel module for ND proxy
- Linux and FreeBSD daemons for ND proxy
- Linux daemon for ND proxy