7 Jun
2017
7 Jun
'17
4:50 p.m.
(Braindumping here, sorry for the lack of context)
made two one-way tunnels:
packets put into torreunc "foo" will be captured at nicojesigioia
"fool"
and viceversa, nicojesigioia "foo" -> torreunc "fool"
but foo doesnt need any "fake" source address,
the key is that "fool" is constructed using "remote ::", and it
catches
packets with destination equal to the "local 2001:db8::" address, but
regardless of the source address
i.e.
ip -6 tun add fool local fd66:66:66:15:c24a:ff:fefc:6567
### torreunc
root@torreunc:~# ip a s foo
13076: foo@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1452 qdisc noqueue
state UNKNOWN group default qlen 1
link/tunnel6 2801:1e8::827a:4a00 peer fd66:66:66:13:c24a:ff:fefc:6566
inet6 fe80::fc21:acff:fe96:f61f/64 scope link
valid_lft forever preferred_lft forever
root@torreunc:~# ip a s fool
13281: fool@NONE: <NOARP,UP,LOWER_UP> mtu 1452 qdisc noqueue state
UNKNOWN group default qlen 1
link/tunnel6 fd66:66:66:8:62e3:27ff:fe4a:7a82 brd ::
inet6 fe80::d893:19ff:fec4:3163/64 scope link
valid_lft forever preferred_lft forever
root@torreunc:~# ip r get 2801:1e8::827a:4a00
local 2801:1e8::827a:4a00 from :: dev lo table local proto none src
2801:1e8::827a:4a00 metric 0 pref medium
### nicojesigioia
root@nicojesigioia:~# ip a s foo
2207: foo@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1350 qdisc noqueue
state UNKNOWN group default qlen 1
link/tunnel6 2801:1e8:2::6565:fc00 peer fd66:66:66:8:62e3:27ff:fe4a:7a82
inet6 fe80::ec05:abff:fefe:54c9/64 scope link
valid_lft forever preferred_lft forever
root@nicojesigioia:~# ip a s fool
2380: fool@NONE: <NOARP,UP,LOWER_UP> mtu 1452 qdisc noqueue state
UNKNOWN group default qlen 1
link/tunnel6 fd66:66:66:13:c24a:ff:fefc:6566 brd ::
inet6 fe80::b853:54ff:fe4a:3de5/64 scope link
valid_lft forever preferred_lft forever
root@nicojesigioia:~# ip r get 2801:1e8:2::6565:fc00
local 2801:1e8:2::6565:fc00 from :: dev lo table local proto none src
2801:1e8:2::6565:fc00 metric 0 pref medium
This works, and I propose bmx6/7 sets up tunnels like this, without
specifying a "peer" on the "receiving" tunnels, so that
"sending"
tunnels can use real ipv6 source addresses and ICMPv6 errors messages
can be sent back successfully and not break PMTUD in case of MTU size
changes
as a reference, here's how current bmx6 sets up the equivalent of the
"fool" interface, but specifying a "remote" (innecesarily)
root@torreunc:~# ip a s bmxmain
16: bmxmain@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1460 qdisc noqueue
state UNKNOWN group default qlen 1
link/tunnel6 fd66:66:66:8:62e3:27ff:fe4a:7a82 peer
fd66:66:66:ff00:62e3:27ff:fe4a:7a82
inet 10.5.24.12/32 scope global bmxmain
valid_lft forever preferred_lft forever
inet6 2801:1e8::827a:4a00/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::ce:9cff:fe25:2c92/64 scope link
valid_lft forever preferred_lft forever
root@nicojesigioia:~# ip a s bmxmain
16: bmxmain@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1452 qdisc noqueue
state UNKNOWN group default qlen 1
link/tunnel6 fd66:66:66:a:c24a:ff:fefc:6565 peer
fd66:66:66:ff00:c24a:ff:fefc:6565
inet 10.5.0.6/32 scope global bmxmain
valid_lft forever preferred_lft forever
inet6 2801:1e8:2::6565:fc00/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::f87c:4ff:fe19:ebde/64 scope link
valid_lft forever preferred_lft forever
and a corresponding equivalent 'foo' tunnel
root@nicojesigioia:~# ip a s bmxOut_torreun
2391: bmxOut_torreun@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1358
qdisc noqueue state UNKNOWN group default qlen 1
link/tunnel6 fd66:66:66:ff00:62e3:27ff:fe4a:7a82 peer
fd66:66:66:8:62e3:27ff:fe4a:7a82
inet 10.5.0.6/32 scope global bmxOut_torreun
valid_lft forever preferred_lft forever
inet6 2801:1e8:2::6565:fc00/128 scope global
valid_lft forever preferred_lft forever
inet6 fd66:66:66:ff00:62e3:27ff:fe4a:7a82/128 scope global deprecated
valid_lft forever preferred_lft 0sec
inet6 fe80::f005:3cff:fe4a:26d/64 scope link
valid_lft forever preferred_lft forever
14 Jun
14 Jun
5:18 a.m.
I put a patch for bmx6 in this branch
https://github.com/axn/bmx6/commits/master.NonFakeTunAddresses
https://github.com/axn/bmx6/commit/5dc6678cf9c2887ca5e32c8d7527c5f660ddb7e9
But due to the current kernel behavior it does not acceppt ip4-in-ipv6
tunnelled packets if the remote tunnel address is not explicitly
specified and matching with the incoming tunnel packet. For ip6-in-ip6
it works.
The problem is addressed by below linked patches. But none of them seems
to have been applied to current kernels. If somebody known or finds out
an alternative solution would be great.
/axel
http://lists.openwall.net/netdev/2014/10/29/20
http://archive.linuxvirtualserver.org/cgi-bin/mesg.cgi?a=lvs-devel&i=53…
On 07.06.2017 18:50, Gui Iribarren wrote:
(Braindumping here, sorry for the lack of context)
made two one-way tunnels:
packets put into torreunc "foo" will be captured at nicojesigioia
"fool"
and viceversa, nicojesigioia "foo" -> torreunc "fool"
but foo doesnt need any "fake" source address,
the key is that "fool" is constructed using "remote ::", and it
catches
packets with destination equal to the "local 2001:db8::" address, but
regardless of the source address
i.e.
ip -6 tun add fool local fd66:66:66:15:c24a:ff:fefc:6567
### torreunc
root@torreunc:~# ip a s foo
13076: foo@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1452 qdisc noqueue
state UNKNOWN group default qlen 1
link/tunnel6 2801:1e8::827a:4a00 peer fd66:66:66:13:c24a:ff:fefc:6566
inet6 fe80::fc21:acff:fe96:f61f/64 scope link
valid_lft forever preferred_lft forever
root@torreunc:~# ip a s fool
13281: fool@NONE: <NOARP,UP,LOWER_UP> mtu 1452 qdisc noqueue state
UNKNOWN group default qlen 1
link/tunnel6 fd66:66:66:8:62e3:27ff:fe4a:7a82 brd ::
inet6 fe80::d893:19ff:fec4:3163/64 scope link
valid_lft forever preferred_lft forever
root@torreunc:~# ip r get 2801:1e8::827a:4a00
local 2801:1e8::827a:4a00 from :: dev lo table local proto none src
2801:1e8::827a:4a00 metric 0 pref medium
### nicojesigioia
root@nicojesigioia:~# ip a s foo
2207: foo@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1350 qdisc noqueue
state UNKNOWN group default qlen 1
link/tunnel6 2801:1e8:2::6565:fc00 peer fd66:66:66:8:62e3:27ff:fe4a:7a82
inet6 fe80::ec05:abff:fefe:54c9/64 scope link
valid_lft forever preferred_lft forever
root@nicojesigioia:~# ip a s fool
2380: fool@NONE: <NOARP,UP,LOWER_UP> mtu 1452 qdisc noqueue state
UNKNOWN group default qlen 1
link/tunnel6 fd66:66:66:13:c24a:ff:fefc:6566 brd ::
inet6 fe80::b853:54ff:fe4a:3de5/64 scope link
valid_lft forever preferred_lft forever
root@nicojesigioia:~# ip r get 2801:1e8:2::6565:fc00
local 2801:1e8:2::6565:fc00 from :: dev lo table local proto none src
2801:1e8:2::6565:fc00 metric 0 pref medium
This works, and I propose bmx6/7 sets up tunnels like this, without
specifying a "peer" on the "receiving" tunnels, so that
"sending"
tunnels can use real ipv6 source addresses and ICMPv6 errors messages
can be sent back successfully and not break PMTUD in case of MTU size
changes
as a reference, here's how current bmx6 sets up the equivalent of the
"fool" interface, but specifying a "remote" (innecesarily)
root@torreunc:~# ip a s bmxmain
16: bmxmain@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1460 qdisc noqueue
state UNKNOWN group default qlen 1
link/tunnel6 fd66:66:66:8:62e3:27ff:fe4a:7a82 peer
fd66:66:66:ff00:62e3:27ff:fe4a:7a82
inet 10.5.24.12/32 scope global bmxmain
valid_lft forever preferred_lft forever
inet6 2801:1e8::827a:4a00/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::ce:9cff:fe25:2c92/64 scope link
valid_lft forever preferred_lft forever
root@nicojesigioia:~# ip a s bmxmain
16: bmxmain@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1452 qdisc noqueue
state UNKNOWN group default qlen 1
link/tunnel6 fd66:66:66:a:c24a:ff:fefc:6565 peer
fd66:66:66:ff00:c24a:ff:fefc:6565
inet 10.5.0.6/32 scope global bmxmain
valid_lft forever preferred_lft forever
inet6 2801:1e8:2::6565:fc00/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::f87c:4ff:fe19:ebde/64 scope link
valid_lft forever preferred_lft forever
and a corresponding equivalent 'foo' tunnel
root@nicojesigioia:~# ip a s bmxOut_torreun
2391: bmxOut_torreun@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1358
qdisc noqueue state UNKNOWN group default qlen 1
link/tunnel6 fd66:66:66:ff00:62e3:27ff:fe4a:7a82 peer
fd66:66:66:8:62e3:27ff:fe4a:7a82
inet 10.5.0.6/32 scope global bmxOut_torreun
valid_lft forever preferred_lft forever
inet6 2801:1e8:2::6565:fc00/128 scope global
valid_lft forever preferred_lft forever
inet6 fd66:66:66:ff00:62e3:27ff:fe4a:7a82/128 scope global deprecated
valid_lft forever preferred_lft 0sec
inet6 fe80::f005:3cff:fe4a:26d/64 scope link
valid_lft forever preferred_lft forever
2756
days inactive
2763
days old
1 comments
2 participants
participants (2)
-
Axel Neumann -
Gui Iribarren