Wintun NeighborDiscoverySupported

Brad Spencer bspencer at blackberry.com
Thu Sep 9 18:15:02 UTC 2021 

On 2021-09-09 2:42 p.m., Jason A. Donenfeld wrote:
> So how exactly were
> you "seeing" the ARP requests on the Wintun interface? Did wireshark
> show it? Or did you read from the Wintun ring and actually see an ARP
> frame? Or something else? Or was this just a manner of speaking and
> you didn't actually observe ARP frames themselves?
You're right to suspect that I was speaking imprecisely here.  We have 
never seen an ARP request appear on the Wintun interface!  I meant to 
say that we have noticed the ARP table for the Wintun interface 
accumulating entries.

>> We _think_ that the NeighborDiscoverySupported property being Yes means
>> that Windows issues ARP requests for addresses on the Wintun interface.
> That seems like a good intuition. I'm wondering whether that's
> something you're assuming or something you read on a Microsoft
> website. I ask because this might provide a good entry point for
> whatever reverse engineering I wind up doing to fix this.
I pieced this together from a few scraps.

On the MIB_IPINTERFACE_ROW page[1], the docs only tersely say:

"A value that specifies if the IP interface support neighbor discovery."

Microsoft seems to use the same terminology when documenting 
SetIpNetEntry2()[2]:

"The SetIpNetEntry2 function sets the physical address of an existing 
neighbor IP address entry on the local computer."

And then, most importantly, MIB_IPNET_ROW2, the structure used by that 
function says this in its Remarks section[3]:

"For IPv4, this includes addresses determined used the Address 
Resolution Protocol (ARP). For IPv6, this includes addresses determined 
using the Neighbor Discovery (ND) protocol for IPv6 as specified in RFC 
2461. "

So, it seems that the "NetEntry" APIs are those that deal with ARP (and 
ND) entries, and the term Microsoft uses for that is "neighbor discovery".

I don't know if the SupportsNeighborDiscovery field of MIB_INTERFACE_ROW 
is implied by other properties of the network interface (such as "all 
Ethernet interfaces support ARP") or whether it can be individually set 
at all.

One other detail is that we have the gateway for the tunnel's routes set 
to 0.0.0.0 (or "::").  I presume that also influences how Windows 
decides which addresses might be on-link neighbours.

1. 
https://docs.microsoft.com/en-us/windows/win32/api/netioapi/ns-netioapi-mib_ipinterface_row
2. 
https://docs.microsoft.com/en-us/windows/win32/api/netioapi/nf-netioapi-setipnetentry2
3. 
https://docs.microsoft.com/en-us/windows/win32/api/netioapi/ns-netioapi-mib_ipnet_table2

-- 
Brad Spencer

More information about the WireGuard mailing list