Proxying Neighbor Discovery messages: ndproxy

On our systems at Hetzner we only have a single /64 IPv6 range, which we use to assign addresses to virtual systems, running in Xen and KVM. We also wish to perform layer 3 and 4 firewalling and traffic accounting on the host system, which means we don’t directly bridge the virtual machines to the external interface, but bridge them to a dummy interface on the host system. This implies that Neighbor Discovery messages that are generated on the internal bridge interface are not propagated to the outside network interface. We currently solve this by manually adding proxy rules, using the ip -6 neigh add proxy ... dev ... command.

The disadvantage of this approach is that you cannot add proxy rules for entire ranges of addresses. This is also not a good approach, because it may potentially pollute upstream routers with spurious entries. This is a problem for us, because we want to be able to simply assign new addresses to virtual machines without requiring manual reconfiguration on the host system. Therefore we have written a small script called ndproxy, which scans the output of ip -6 neigh show dev ... and replicates proxy entries on the outer interface.

The code is published in the ndproxy repository on GitHub. Enjoy!

*Image source:

Tags: ,

One Response to “Proxying Neighbor Discovery messages: ndproxy”

  1. Daniel says:

    Check out NDP Proxy Daemon:

Kumina designs, builds, operates and supports Kubernetes solutions that help companies thrive online. As Certified Kubernetes Service Partner, we know how to build real solutions.