ICMPv6: Recognise ND option 14 (Nonce)

This option has been observed to be included in neighbour solicitations sent by Linux kernel when `conf/*/enhanced_dad` is enabled on the relevant network interface. It looks like it appeared in the linked kernel commit. In accordance with RFC 7527, a nonce can help distinguish valid DAD NS messages in the presence of Ethernet loopbacks: after a DAD probe is sent on the network, if an NS is received with the same nonce it is considered looped back and ignored. We implement the printer for this option and add a simple test with 3 different verbosity levels. Link: torvalds/linux@adc176c Link: https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml#icmpv6-parameters-5
the-tcpdump-group · Feb 15, 2024 · 8c6d464 · 8c6d464
1 parent 20cc86f
commit 8c6d464
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 0 deletions.
diff --git a/print-icmp6.c b/print-icmp6.c
@@ -283,6 +283,7 @@ struct nd_opt_hdr {		/* Neighbor discovery option header */
 #define ND_OPT_MTU			5
 #define ND_OPT_ADVINTERVAL		7
 #define ND_OPT_HOMEAGENT_INFO		8
+#define ND_OPT_NONCE			14
 #define ND_OPT_ROUTE_INFO		24	/* RFC4191 */
 #define ND_OPT_RDNSS			25
 #define ND_OPT_DNSSL			31
@@ -712,6 +713,7 @@ static const struct tok icmp6_opt_values[] = {
    { ND_OPT_DNSSL, "dnssl"},
    { ND_OPT_ADVINTERVAL, "advertisement interval"},
    { ND_OPT_HOMEAGENT_INFO, "homeagent information"},
+   { ND_OPT_NONCE, "nonce"},
    { ND_OPT_ROUTE_INFO, "route info"},
    { 0,	NULL }
 };
@@ -753,6 +755,18 @@ get_lifetime(uint32_t v)
 	}
 }
 
+static void
+print_opaque_data(netdissect_options *ndo, const uint8_t *p, size_t l)
+{
+	if (l > 0)
+		ND_PRINT("0x");
+	while (l > 0) {
+		ND_PRINT("%02x", GET_U_1(p));
+		p++;
+		l--;
+	}
+}
+
 static void
 print_lladdr(netdissect_options *ndo, const uint8_t *p, size_t l)
 {
@@ -1473,6 +1487,10 @@ icmp6_opt_print(netdissect_options *ndo, const u_char *bp, int resid)
                                   GET_BE_U_2(oph->nd_opt_hai_preference),
                                   GET_BE_U_2(oph->nd_opt_hai_lifetime));
 			break;
+		case ND_OPT_NONCE:
+			l = (opt_len << 3) - 2;
+			print_opaque_data(ndo, cp + 2, l);
+			break;
 		case ND_OPT_ROUTE_INFO:
 			opri = (const struct nd_opt_route_info *)op;
 			ND_TCHECK_4(opri->nd_opt_rti_lifetime);

diff --git a/tests/TESTLIST b/tests/TESTLIST
@@ -224,6 +224,9 @@ icmpv6-rfc7112	icmpv6-rfc7112.pcap	icmpv6-rfc7112.out
 icmpv6-RFC2894-RR icmpv6-RFC2894-RR.pcap icmpv6-RFC2894-RR.out
 icmpv6-RFC2894-RR-v icmpv6-RFC2894-RR.pcap icmpv6-RFC2894-RR-v.out -v
 icmpv6-ni-flags	icmpv6-ni-flags.pcap	icmpv6-ni-flags.out
+icmpv6-ns-nonce-v0	icmpv6-ns-nonce.pcap	icmpv6-ns-nonce-v0.out
+icmpv6-ns-nonce-v1	icmpv6-ns-nonce.pcap	icmpv6-ns-nonce-v1.out	-v
+icmpv6-ns-nonce-v2	icmpv6-ns-nonce.pcap	icmpv6-ns-nonce-v2.out	-vv
 
 # SPB tests
 spb	            spb.pcap	            spb.out

diff --git a/tests/icmpv6-ns-nonce-v0.out b/tests/icmpv6-ns-nonce-v0.out
@@ -0,0 +1 @@
+    1  11:07:31.663323 IP6 :: > ff02::1:ffe1:f: ICMP6, neighbor solicitation, who has fe80::546f:f7ff:fee1:f, length 32
diff --git a/tests/icmpv6-ns-nonce-v1.out b/tests/icmpv6-ns-nonce-v1.out
@@ -0,0 +1,2 @@
+    1  11:07:31.663323 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) :: > ff02::1:ffe1:f: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::546f:f7ff:fee1:f
+	  nonce option (14), length 8 (1): 0x6069604c0aaa
diff --git a/tests/icmpv6-ns-nonce-v2.out b/tests/icmpv6-ns-nonce-v2.out
@@ -0,0 +1,3 @@
+    1  11:07:31.663323 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) :: > ff02::1:ffe1:f: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::546f:f7ff:fee1:f
+	  nonce option (14), length 8 (1): 0x6069604c0aaa
+	    0x0000:  6069 604c 0aaa
diff --git a/tests/icmpv6-ns-nonce.pcap b/tests/icmpv6-ns-nonce.pcap