# ipv6 query multicast address to get unicast address

## 1clue

Hi,

I would like to use a bash shell to query a multicast ipv6 address and get back a list of unicast addresses.

For example, I would like to ping ff05::101 and get back a list of ntp servers on my site. Or ping ff05::2 to get all the routers.

Ping doesn't work. It doesn't have to be ping, I just want something that will give me all listeners for some multicast address for the scope specified.

I know that the multicast address is only supposed to be a destination address, so you won't ever get a response from that multicast address. The remote service is supposed to respond with its unicast address, either link-local or site-local or whatever.

I thought I had this figured out once. I lost it.

Thanks.

----------

## Ant P.

I think you want ff02, not ff05...

----------

## 1clue

For routers yes, for ntp servers ff05 is correct.

----------

## Ant P.

I can't seem to get it to work either...

```
~ # ping ff02::2%eth0

PING ff02::2%eth0(ff02::2%eth0) 56 data bytes

64 bytes from fe80::x:6753%eth0: icmp_seq=1 ttl=64 time=0.044 ms

64 bytes from fe80::y:b95e%eth0: icmp_seq=1 ttl=64 time=0.445 ms (DUP!)

64 bytes from fe80::z:681e%eth0: icmp_seq=1 ttl=64 time=0.691 ms (DUP!)

^C

~ # ping ff05::101%eth0

ping: ff05::101%eth0: Name or service not known
```

ff02::101 doesn't get a reply but doesn't fail either. I'm running chrony, and its manpage mentions that address, so I thought it'd work.

----------

## NeddySeagoon

Team,

```
 $ ping ff05::2 

PING ff05::2(ff05::2) 56 data bytes

64 bytes from 2a02:8010:c002:3:329:7b89:85e8:62a1: icmp_seq=1 ttl=64 time=0.883 ms
```

 That's my routers global address on the output side of shorewall6.

```
$ ping ff05::101

PING ff05::101(ff05::101) 56 data bytes

^C

--- ff05::101 ping statistics ---

3 packets transmitted, 0 received, 100% packet loss, time 42ms
```

is the right result.

I don't have any IPv6 ntp servers.

I was surprised that I did not need to specify an interface.

----------

## 1clue

So there's more complication than this.

There are three systems I'm using:

Raspberry pi, raspbian:

This is a stratum 1 time server using GPS.

Can ping6 ff05::2 (Gets global ipv6 address)

Can ping6 ff02::2%eth0 (gets fe80 address)

Can't ping6 ff05::101

Can't ping6 ff02::101%eth0 (shouldn't be able to, the docs say ntp is site scope but I'm trying it for the sake of being thorough)

```

# ntpq -c rv

associd=0 status=0118 leap_none, sync_pps, 1 event, no_sys_peer,

version="ntpd 4.2.8p6@1.3265-o Wed Sep 14 17:22:48 UTC 2016 (3)",

processor="armv6l", system="Linux/4.9.35+", leap=00, stratum=1,

precision=-18, rootdelay=0.000, rootdisp=1.135, refid=GPS,

reftime=e053e4ba.ddd6ecff  Sat, Apr  6 2019 21:53:46.866,

clock=e053e4c4.96e39c0f  Sat, Apr  6 2019 21:53:56.589, peer=41578, tc=4,

mintc=3, offset=0.001304, frequency=-6.926, sys_jitter=0.003815,

clk_jitter=0.004, clk_wander=0.000

# ntpq -nc peers

     remote           refid      st t when poll reach   delay   offset  jitter

==============================================================================

o127.127.22.0    .GPS.            0 l   10   16  377    0.000    0.001   0.004

 50.205.244.27   .XFAC.          16 u    - 1024    0    0.000    0.000   0.000

+128.138.141.172 .NIST.           1 u   15   64  355   45.495   -3.595   0.642

 131.107.13.100  .XFAC.          16 u    - 1024    0    0.000    0.000   0.000

*74.117.214.3    .PPS.            1 u   58   64  377  109.205    3.735   1.654

-216.229.0.49    128.252.19.1     2 u   31   64  377   45.490    7.445   1.229

-45.79.111.114   216.218.192.202  2 u   57   64  377   69.129    9.205   3.330

-2001:4998:58:18 98.139.133.62    2 u   57   64  377   76.631    6.499   1.409

+50.205.244.20   50.205.244.28    2 u   18   64  377   48.250    0.496   1.657

```

So the ntp server is using ipv6 because one of the peers is an ipv6 address.

The pi has both fe80 addresses and also has a global IPV6.

The pi can reach ipv6 sites on the Internet and make IPV6 connections locally using both fe80 and global addresses. I won't bug you with that stuff.

```
# netstat -tunlgp | grep ntp

udp        0      0 192.168.99.91:123       0.0.0.0:*                           457/ntpd        

udp        0      0 192.168.99.2:123        0.0.0.0:*                           457/ntpd        

udp        0      0 127.0.0.1:123           0.0.0.0:*                           457/ntpd        

udp        0      0 0.0.0.0:123             0.0.0.0:*                           457/ntpd        

udp6       0      0 fe80::ba27:ebff:fec:123 :::*                                457/ntpd        

udp6       0      0 dad:ea75:dead:beef::123 :::*                                457/ntpd        

udp6       0      0 ::1:123                 :::*                                457/ntpd        

udp6       0      0 :::123                  :::*                                457/ntpd

```

So the server is listening on ipv4, ipv6-global and ipv6-link-local.

But it does not seem to be binding to a multicast?

Ubuntu 18.04:

Can't ping6 ff05::2 (hangs)

Can ping6 ff02::%enp3s0

Can't ping6 ff05::101 (hangs)

Can't ping6 ff02::101%enp3s0 (hangs)

Ubuntu has a fully functional dual ipv4+ipv6 stack. I won't bother you with the evidence.

It's ntp statistics show that it is also getting ipv4 and ipv6 addresses as peers.

Gentoo:

2001:48f8:1044:717

Can ping ff05::2 (gets global router address)

Con ping ff02::2%eth1 (gets fe80 address)

Can't ping ff05::101 (hangs)

Can't ping ff02::101%eth1 (hangs)

Gentoo also shows ipv6 and ipv4 addresses in the peers list for  ntpq.

Observations

I never knew that you could ping ff05::2 and get your global router. I've spent hours looking for how to do that from the command line. Never occurred to try the thing that makes most sense.

I don't recall reading anywhere that router multicast worked on any more than link-local scope. So I never tried ff05::2

My Ubuntu box does not know about ff05::2. Must be one of Lennart's improvements?

My stratum 1 time server seems to know about IPV6 but does not seem to bind to the multicast address.

This must be a configuration problem. I'm gonna try Google with different search terms.

As I have determined that this is not strictly a Gentoo problem I don't mind if you don't continue to help. But I'll post a solution if I can figure it out.

----------

## Ant P.

Now that I've tried ff05::* (without interface scope), I get identical results as above: 2 works, 101 does not. I'm still a bit confused that it errors out instantly with an interface specified.

I know I do have working multicast support in the kernel despite all this (using avahi for distcc etc).

----------

## UberLord

Have you configured the NTP server for multicast?

https://groups.google.com/forum/#!topic/comp.protocols.time.ntp/SpUkoQcu-q0

About the scope - I think FF05 needs to be configured whereas FF02 works on any decent IPv6 host.

So try ff02::101%interface.

Works for me.

----------

## NeddySeagoon

1clue,

```
[ ]   IP: multicasting  
```

is an optional extra in the kernel, as is

```
 [ ]   IPv6: multicast routing
```

Do you need them?

----------

## 1clue

 *NeddySeagoon wrote:*   

> 1clue,
> 
> ```
> [ ]   IP: multicasting  
> ```
> ...

 

Neddy, the last question doesn't really compute.

In the literal sense I don't, because I've been running with this setup for awhile now.

That said, now that I noticed my ntp server is not working the way ntp servers are supposed to work, and that it's not.....Let's just say that it's going to burn my butt until I get it right. As the system in question is Raspbian I don't know if the multicast routing is turned on. I'll investigate. But it does know what multicast is, so I'm going to say the first option is turned on.

It also happens that the devices I'm using are all on the same physical subnet. So ff05::101 should work.

@Ant P: It seems to be different per distro. I started playing with it and found that on some distros, if you do ff02::something without specifying interface it chooses the default route's interface. Others no. The ntp server's only defined multicast is site-local so ff02::101 is not really defined. IMO it would make sense for some things (DNS, ntp servers, etc) to allow scopes like city, state/provice, nation or continent. Assuming of course that there were some way of validating a server once the volunteer comes back from the multicast.

Reading this again, I wonder if you mean scope on the site-local (ff05) addresses? Should not be necessary the way I understand the spec, and none of my Linux boxes requires it.

@Uberlord: I tried the configuration options without authentication on the server. Based on that thread you posted, authentication may be required even for local network only. I've done ff02::101%interface, no joy. And no sign that it's actually configured as multicast on the server.

----------

## 1clue

Again, server is a Raspberry Pi running Raspbian for full disclosure.

From the server:

```

# /usr/sbin/ntpd --version

ntpd 4.2.8p6@1.3265-o Wed Sep 14 17:22:48 UTC 2016 (3)

```

```
# netstat -ng

IPv6/IPv4 Group Memberships

Interface       RefCnt Group

--------------- ------ ---------------------

lo              1      224.0.0.1

eth0            1      224.0.0.251

eth0            1      224.0.0.1

lo              1      ff02::1

lo              1      ff01::1

eth0            1      ff02::fb

eth0            1      ff02::1:ff82:108d

eth0            1      ff02::1:ffc4:8a7

eth0            1      ff02::1

eth0            1      ff01::1

```

Server's config file, but note that I've been throwing crap in here to see if it works so it's not exactly trim:

```
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift

# Enable this if you want statistics to be logged.

statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats

filegen loopstats file loopstats type day enable

filegen peerstats file peerstats type day enable

filegen clockstats file clockstats type day enable

# You do need to talk to an NTP server or two (or three).

#server ntp.your-provider.example

# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will

# pick a different set every time it starts up.  Please consider joining the

# pool: <http://www.pool.ntp.org/join.html>

server 127.127.22.0 minpoll 4 maxpoll 4

fudge 127.127.22.0 refid GPS

server 0.debian.pool.ntp.org iburst prefer

server 50.205.244.27 iburst

server 128.138.141.172 iburst

server 131.107.13.100 iburst

server 0.us.pool.ntp.org iburst

server 1.us.pool.ntp.org iburst

server 2.us.pool.ntp.org iburst

server 3.us.pool.ntp.org iburst

# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for

# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>

# might also be helpful.

#

# Note that "restrict" applies to both servers and clients, so a configuration

# that might be intended to block requests from certain clients could also end

# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.

restrict -4 default kod notrap nomodify nopeer noquery

restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.

restrict 127.0.0.1

restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if

# cryptographically authenticated.

#restrict 192.168.123.0 mask 255.255.255.0 notrust

# If you want to provide time to your local subnet, change the next line.

# (Again, the a# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift

# Enable this if you want statistics to be logged.

statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats

filegen loopstats file loopstats type day enable

filegen peerstats file peerstats type day enable

filegen clockstats file clockstats type day enable

# You do need to talk to an NTP server or two (or three).

#server ntp.your-provider.example

# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will

# pick a different set every time it starts up.  Please consider joining the

# pool: <http://www.pool.ntp.org/join.html>

server 127.127.22.0 minpoll 4 maxpoll 4

fudge 127.127.22.0 refid GPS

server 0.debian.pool.ntp.org iburst prefer

server 50.205.244.27 iburst

server 128.138.141.172 iburst

server 131.107.13.100 iburst

server 0.us.pool.ntp.org iburst

server 1.us.pool.ntp.org iburst

server 2.us.pool.ntp.org iburst

server 3.us.pool.ntp.org iburst

# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for

# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>

# might also be helpful.

#

# Note that "restrict" applies to both servers and clients, so a configuration

# that might be intended to block requests from certain clients could also end

# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.

restrict -4 default kod notrap nomodify nopeer noquery

restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.

restrict 127.0.0.1

restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if

# cryptographically authenticated.

#restrict 192.168.123.0 mask 255.255.255.0 notrust

# If you want to provide time to your local subnet, change the next line.

# (Again, the address is an example only.)

#broadcast 192.168.123.255

broadcast ff05::101 ttl 2

broadcast 224.0.1.1 ttl 2

broadcast ff02::101%eth0 ttl 2

# If you want to listen to time broadcasts on your local subnet, de-comment the

# next lines.  Please do this only if you trust everybody on the network!

#disable auth

#broadcastclient

ddress is an example only.)

#broadcast 192.168.123.255

broadcast ff05::101 ttl 2

broadcast 224.0.1.1 ttl 2

broadcast ff02::101%eth0 ttl 2

# If you want to listen to time broadcasts on your local subnet, de-comment the

# next lines.  Please do this only if you trust everybody on the network!

#disable auth

#broadcastclient

```

----------

## 1clue

I'm going to put my ntp.conf aside and re-read the man page and whatever other documentation I can get. It seems I need authentication or validation, and a manycastserver and manycastclient statement. Or something.

The man page mentions ff05::101 and originally it seemed that the manycast* directives accessed the pre-existing listener on ff05::101 but now it seems that it may actually be telling it to listen, and they have all this authentication and cryptographic stuff.

In the abstract I can see the value of a secure clock. In reality it seems a bit excessive.

Says the guy who built a stratum 1 time server.

----------

