Description

It is possible to cause a node to transmit up to 64 ICMPv6 destination unreachable messages. Other ICMPv6 error messages are probably also possible.

This took a bit of time to reproduce after discovering it.

Steps to reproduce the issue

I was able to trigger this when using two native instances in combination with a Linux host using scapy.

1. Start 2 native instances.
2. Assign an global address to the first node, e.g. fd02::5/64
3. wait a bit for the router solicitations to stabilize.
4. send a packet with scapy to the second instance (the one that got the address from the router advertisement of the first instance):

sendp( Ether(dst=DST_HWADDR) / IPv6(src="fd02::1", dst=DST_ADDR) / UDP(), iface="tapbr0")

With
DST_HWADDR = the link layer address of the second instance.
DST_ADDR = The globally unique IPv6 address of the second instance (fd02::something)
fd02::1 = An "non-existing" address on the subnet.

Expected results

Nothing is send, as neighbour discovery will fail.

Actual results

64 destination unreachable messages are bounced between two instances, each with the all zeros IPv6 address as destination (::). I suspect that the messages are bounced between the two hosts as the mac addresses are switched between each frame.

See attached pcapng for capture.

multi_icmpv6_error.zip

@miri64 Please let me know if you're able to reproduce, it took me quite some time before I was able to trigger it on purpose.