On Tue, 27 Apr 2021 16:14:31 +0100 Dave Howorth <dave@howorth.org.uk> wrote:
On Tue, 27 Apr 2021 16:02:31 +0200 Per Jessen <per@computer.org> wrote:
Andrei Borzenkov wrote:
On Tue, Apr 27, 2021 at 3:22 PM Per Jessen <per@computer.org> wrote:
On some servers we rent at Hetzner, we have recently (in the last month) begun to run Xen - and the Xen guests obviously have "made up" MAC addresses, e.g. 00:16:3e:bb:ac:82.
For IPv4, we have enabled proxy_arp on the bridge interface, works well as always. We have not yet configuredany IPv6 in any of the guests, only on the xen host. The guests only have a link-local address.
In this config, the only MAC addresses that should be seen on the network that of the only real interface, eth0/br0.
What does it mean? eth0 is slave interface in br0? Where and how guests are connected? You really need to explain network topology better.
Yes, eth0 is bridged with the virtual interfaces into br0.
However, Hetzner is complaining that some of our guest MAC addresses are "leaking out". AFAICT, this is happening in neighbour solitications and advertisements, with the link-local addresses.
How exactly can you tell it? Do you have any packet capture?
Yes, I ran a tcpdump this morning to confirm what Hetzner told me. a tcpdump on "br0", looking for the two local link addresses from my two DomUs.
tcpdump -n -i br0 host fe80::216:3eff:febb:ac7c or \ host fe80::216:3eff:febb:ac82
NDP proxy works between two interfaces (and you need to explicitly define which addresses are proxied).
Aha. I'll have to study that.
If guests are connected to the same br0 as eth0, then guests are on the same physical link and there is nothing to proxy.
Well, except for the "virtual" MAC addresses.
If guests are connected to something else, how comes MAC leaks?
You really need to explain your topology.
It is really simple - a single machine, a xen host. Single ethernet interface in the Dom0, bridged with the virtual interfaces into br0.
Are these of any relevance?
http://wiki.stocksy.co.uk/wiki/IPv6%2BXen_on_a_Hetzner_server_with_routing_t...
Or this? https://blog.kumina.nl/2011/06/proxying-neighbor-discovery-messages-ndproxy/