No match on ICMPv6 packets

  • 2 Replies
  • 199 Views
*

scheffler

  • Newbie
  • *
  • 2
    • View Profile
No match on ICMPv6 packets
« on: December 20, 2018, 11:20:27 PM »
We are currently developing a RYU app that tries to protect the local network from IPv6 ND attacks.
For this, we install flows on the switch that send specific ICMPv6 messages to the controller. The app is working on a commercial OF-switch (Edgecore 4610), but not on the Zodiac FX.

The Zodiac FX always matches the generic flow that catches unknown destinations and never the higher prioritised ICMPv6-rules.

I have included some of the debug (trace) output.
Any help would be greatly appreciated!

Regards,
Thomas

Matching:
of_helper.c: Looking for match in table 0 from port 1 : 00:21:86:94:31:6E -> 33:33:FF:94:31:6E - eth type 86DD - VLAN ID 0
openflow_13.c: Matched flow 1, table 0

Flow-install
openflow_13.c: 3396764709: OpenFlow message received type = 14
openflow_13.c: Allocating 56 bytes at 0x20003360 for flow mode in flow 1
openflow_13.c: Allocating 24 bytes at 0x20001b60 for instruction field in flow 1
openflow_13.c: New flow added at 2 into table 0 : priority 0 : cookie 0x0

openflow.c: Processing 104 byte OpenFlow message 3396764711 (104)
openflow_13.c: 3396764711: OpenFlow message received type = 14
openflow_13.c: Allocating 56 bytes at 0x200033d0 for flow mode in flow 2
openflow_13.c: Allocating 16 bytes at 0x20001360 for match field in flow 2
openflow_13.c: Allocating 32 bytes at 0x20003408 for instruction field in flow 2
openflow_13.c: New flow added at 3 into table 0 : priority 10 : cookie 0x85

openflow.c: Processing 104 byte OpenFlow message 3396764712 (104)
openflow_13.c: 3396764712: OpenFlow message received type = 14
openflow_13.c: Allocating 56 bytes at 0x20003440 for flow mode in flow 3
openflow_13.c: Allocating 16 bytes at 0x20001370 for match field in flow 3
openflow_13.c: Allocating 32 bytes at 0x20003478 for instruction field in flow 3
openflow_13.c: New flow added at 4 into table 0 : priority 10 : cookie 0x86

openflow.c: Processing 104 byte OpenFlow message 3396764713 (104)
openflow_13.c: 3396764713: OpenFlow message received type = 14
openflow_13.c: Allocating 56 bytes at 0x200034b0 for flow mode in flow 4
openflow_13.c: Allocating 16 bytes at 0x20001380 for match field in flow 4
openflow_13.c: Allocating 32 bytes at 0x200034e8 for instruction field in flow 4
openflow_13.c: New flow added at 5 into table 0 : priority 10 : cookie 0x87

openflow.c: Processing 104 byte OpenFlow message 3396764714 (104)
openflow_13.c: 3396764714: OpenFlow message received type = 14
openflow_13.c: Allocating 56 bytes at 0x20003520 for flow mode in flow 5
openflow_13.c: Allocating 16 bytes at 0x20001390 for match field in flow 5
openflow_13.c: Allocating 32 bytes at 0x20003558 for instruction field in flow 5
openflow_13.c: New flow added at 6 into table 0 : priority 10 : cookie 0x88

openflow.c: Processing 104 byte OpenFlow message 3396764715 (104)
openflow_13.c: 3396764715: OpenFlow message received type = 14
openflow_13.c: Allocating 56 bytes at 0x20003590 for flow mode in flow 6
openflow_13.c: Allocating 16 bytes at 0x200013a0 for match field in flow 6
openflow_13.c: Allocating 32 bytes at 0x200035c8 for instruction field in flow 6
openflow_13.c: New flow added at 7 into table 0 : priority 10 : cookie 0x89

Zodiac_FX(openflow)# show flows
-------------------------------------------------------------------------

Flow 1
 Match:
 Attributes:
  Table ID: 0                           Cookie:0x0
  Priority: 0                           Duration: 1755 secs
  Hard Timeout: 0 secs                  Idle Timeout: 0 secs
  Byte Count: 6061                      Packet Count: 45
  Last Match: 00:28:01
 Instructions:
  Apply Actions:
   Output: CONTROLLER

Flow 2
 Match:
  ETH Type: IPv6
 Attributes:
  Table ID: 0                           Cookie:0x85
  Priority: 10                          Duration: 1755 secs
  Hard Timeout: 0 secs                  Idle Timeout: 0 secs
  Byte Count: 0                 Packet Count: 0
  Last Match: 00:29:15
 Instructions:
  Meter: 1
  Apply Actions:
   Output: CONTROLLER

Flow 3
 Match:
  ETH Type: IPv6
 Attributes:
  Table ID: 0                           Cookie:0x86
  Priority: 10                          Duration: 1755 secs
  Hard Timeout: 0 secs                  Idle Timeout: 0 secs
  Byte Count: 0                 Packet Count: 0
  Last Match: 00:29:15
 Instructions:
  Meter: 1
  Apply Actions:
   Output: CONTROLLER

Flow 4
 Match:
  ETH Type: IPv6
 Attributes:
  Table ID: 0                           Cookie:0x87
  Priority: 10                          Duration: 1755 secs
  Hard Timeout: 0 secs                  Idle Timeout: 0 secs
  Byte Count: 0                 Packet Count: 0
  Last Match: 00:29:15
 Instructions:
  Meter: 1
  Apply Actions:
   Output: CONTROLLER

Flow 5
 Match:
  ETH Type: IPv6
 Attributes:
  Table ID: 0                           Cookie:0x88
  Priority: 10                          Duration: 1755 secs
  Hard Timeout: 0 secs                  Idle Timeout: 0 secs
  Byte Count: 0                 Packet Count: 0
  Last Match: 00:29:15
 Instructions:
  Meter: 1
  Apply Actions:
   Output: CONTROLLER

Flow 6
 Match:
  ETH Type: IPv6
 Attributes:
  Table ID: 0                           Cookie:0x89
  Priority: 10                          Duration: 1755 secs
  Hard Timeout: 0 secs                  Idle Timeout: 0 secs
  Byte Count: 0                 Packet Count: 0
  Last Match: 00:29:15
 Instructions:
  Meter: 1
  Apply Actions:
   Output: CONTROLLER

*

Paul Zanna

  • Moderator
  • Sr. Member
  • *****
  • 364
    • View Profile
    • Northbound Networks
Re: No match on ICMPv6 packets
« Reply #1 on: December 21, 2018, 07:07:22 AM »
Hi Thomas,

The Zodiac FX doesn't support matching on IPv6 packets.

Regards,
Paul

*

scheffler

  • Newbie
  • *
  • 2
    • View Profile
Re: No match on ICMPv6 packets
« Reply #2 on: December 21, 2018, 09:19:51 AM »
Hi Thomas,

The Zodiac FX doesn't support matching on IPv6 packets.

Regards,
Paul

Hi Paul,

thank you for your quick reply, but that is not the answer I was hoping for  :'(.

I am wondering what is missing. I had a quick look at the code at Github and could not make out the reason this is not supported. Is it 'just' a missing OXM_OF_ICMPV6 case in flowmatch13()?
Because I saw some ICMPv6 related code in match_prereq() and field_match13()...

I am very sad that you had to close down Northbound Networks. I was planning to get some more of your gear in 2019. It is just ideal for class-room use (small, inexpensive, noise-free, batteries included).

Regards,
Thomas