connectivity: encryption tests: filter when icmpv6.type == 136 #38798

tommyp1ckles · 2025-04-07T23:24:46Z

Addresses: #38688

Update: The expression not icmp6[1] = 136 does not appear to work. I tested ip6[40] = 136 and that does appear to filter by the NA msg.

Filter expression can be tested in scapy via:

send(IPv6(src="fe80::5055:55ff:fe24:430")/ICMPv6ND_NA(), loop=1, inter=1

[nix-shell:~/Code/cilium]$ sudo tcpdump -i eth0 'ip6[40] = 136'
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
09:21:25.619892 IP6 lima-vm > ip6-allnodes: ICMP6, neighbor advertisement, tgt is ::, length 24
09:21:26.620501 IP6 lima-vm > ip6-allnodes: ICMP6, neighbor advertisement, tgt is ::, length 24
09:21:27.621135 IP6 lima-vm > ip6-allnodes: ICMP6, neighbor advertisement, tgt is ::, length 24
09:21:28.621907 IP6 lima-vm > ip6-allnodes: ICMP6, neighbor advertisement, tgt is ::, length 24

tommyp1ckles · 2025-04-07T23:24:53Z

/test

tommyp1ckles · 2025-04-08T02:44:17Z

/test

tommyp1ckles · 2025-04-08T22:23:22Z

/ci-e2e-upgrade

tommyp1ckles · 2025-04-08T22:53:33Z

/ci-e2e-upgrade

tommyp1ckles · 2025-04-08T23:33:41Z

/ci-e2e-upgrade

tommyp1ckles · 2025-04-09T00:20:19Z

/test

tommyp1ckles · 2025-04-09T16:21:51Z

/test

tommyp1ckles · 2025-04-09T20:30:34Z

/test

tommyp1ckles · 2025-04-09T20:31:14Z

/test

tommyp1ckles · 2025-04-09T21:00:08Z

/test

tommyp1ckles · 2025-04-10T04:35:54Z

/test

icmpv6 neighbor advertise messages are not sent to wg device [1]. These cause failures in tcpdump leak sniffing. To fix this we will attempt to filter these out when: * node encryption = true * encryption = wireguard * ipv6 = true [1]: https://github.com/cilium/cilium/blob/d116b166d595e13e3e8772acb37a88088723d340/bpf/lib/wireguard.h#L95 Fixes: #38688 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com>

tommyp1ckles · 2025-04-10T04:38:03Z

/test

jschwinger233

yeah this matches https://github.com/cilium/cilium/blob/v1.18.0-pre.1/bpf/lib/wireguard.h#L95

julianwiedmann · 2025-04-11T06:34:15Z

@tommyp1ckles thank you! 🚀

Do you know whether this was triggered by any specific CLI change? Wondering if we're already seeing this on stable branches and need to push an out-of-schedule CLI release, or got lucky and caught it in time.

julianwiedmann · 2025-04-14T06:31:40Z

Seems like this still hits config 12 in e2e-upgrade, which uses native routing mode and thus builds its filter here.

julianwiedmann · 2025-04-25T07:28:54Z

Seems like this still hits config 12 in e2e-upgrade, which uses native routing mode and thus builds its filter here.

Started to hack about in #39160.

maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Apr 7, 2025

github-actions bot added cilium-cli This PR contains changes related with cilium-cli cilium-cli-exclusive This PR only impacts cilium-cli binary labels Apr 7, 2025

tommyp1ckles force-pushed the pr/tp/skip-icmpv6-on-wg branch from ee1779a to cf4264d Compare April 8, 2025 02:44

tommyp1ckles force-pushed the pr/tp/skip-icmpv6-on-wg branch from cf4264d to a82ca43 Compare April 8, 2025 22:22

tommyp1ckles changed the title ~~[DEBUG/WIP] try avoiding icmpv6~~ [DEBUG/WIP] [CI] try avoiding icmpv6 msg = 136 Apr 8, 2025

tommyp1ckles force-pushed the pr/tp/skip-icmpv6-on-wg branch from a82ca43 to 2a8e57d Compare April 8, 2025 22:41

tommyp1ckles force-pushed the pr/tp/skip-icmpv6-on-wg branch from 2a8e57d to 9c629e9 Compare April 8, 2025 23:01

tommyp1ckles closed this Apr 9, 2025

tommyp1ckles reopened this Apr 9, 2025

tommyp1ckles changed the title ~~[DEBUG/WIP] [CI] try avoiding icmpv6 msg = 136~~ connectivity: encryption tests: filter when icmpv6 msg = 136 Apr 9, 2025

tommyp1ckles marked this pull request as ready for review April 9, 2025 05:50

tommyp1ckles requested a review from a team as a code owner April 9, 2025 05:50

tommyp1ckles requested review from jschwinger233 and ldelossa April 9, 2025 05:50

tommyp1ckles changed the title ~~connectivity: encryption tests: filter when icmpv6 msg = 136~~ connectivity: encryption tests: filter when icmpv6.type == 136 Apr 9, 2025

tommyp1ckles marked this pull request as draft April 9, 2025 14:56

tommyp1ckles marked this pull request as ready for review April 9, 2025 16:22

tommyp1ckles force-pushed the pr/tp/skip-icmpv6-on-wg branch from 9c629e9 to e87b149 Compare April 9, 2025 20:30

tommyp1ckles requested review from a team as code owners April 9, 2025 20:30

tommyp1ckles added area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. release-note/ci This PR makes changes to the CI. labels Apr 9, 2025

maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Apr 10, 2025

tommyp1ckles force-pushed the pr/tp/skip-icmpv6-on-wg branch from e87b149 to 2282626 Compare April 10, 2025 04:35

tommyp1ckles force-pushed the pr/tp/skip-icmpv6-on-wg branch from 2282626 to f471bfc Compare April 10, 2025 04:37

jschwinger233 approved these changes Apr 10, 2025

View reviewed changes

tommyp1ckles enabled auto-merge April 10, 2025 14:17

tommyp1ckles added this pull request to the merge queue Apr 10, 2025

Merged via the queue into main with commit f3649ae Apr 10, 2025
303 checks passed

tommyp1ckles deleted the pr/tp/skip-icmpv6-on-wg branch April 10, 2025 14:56

julianwiedmann mentioned this pull request Apr 25, 2025

cli: encryption: improve ICMPv6 NA detection #39160

Merged

connectivity: encryption tests: filter when icmpv6.type == 136 #38798

connectivity: encryption tests: filter when icmpv6.type == 136 #38798

Uh oh!

Conversation

tommyp1ckles commented Apr 7, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

tommyp1ckles commented Apr 7, 2025

Uh oh!

tommyp1ckles commented Apr 8, 2025

Uh oh!

tommyp1ckles commented Apr 8, 2025

Uh oh!

tommyp1ckles commented Apr 8, 2025

Uh oh!

tommyp1ckles commented Apr 8, 2025

Uh oh!

tommyp1ckles commented Apr 9, 2025

Uh oh!

tommyp1ckles commented Apr 9, 2025

Uh oh!

tommyp1ckles commented Apr 9, 2025

Uh oh!

tommyp1ckles commented Apr 9, 2025

Uh oh!

tommyp1ckles commented Apr 9, 2025

Uh oh!

tommyp1ckles commented Apr 10, 2025

Uh oh!

tommyp1ckles commented Apr 10, 2025

Uh oh!

jschwinger233 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

julianwiedmann commented Apr 11, 2025

Uh oh!

julianwiedmann commented Apr 14, 2025

Uh oh!

julianwiedmann commented Apr 25, 2025

Uh oh!

Uh oh!

tommyp1ckles commented Apr 7, 2025 •

edited

Loading