From: 'Marcelo Ricardo Leitner' <marcelo.leitner@gmail.com>
To: Corey Minyard <minyard@acm.org>
Cc: David Laight <David.Laight@aculab.com>,
Michael Tuexen <Michael.Tuexen@lurchi.franken.de>,
Xin Long <lucien.xin@gmail.com>,
Vlad Yasevich <vyasevich@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
"linux-sctp@vger.kernel.org" <linux-sctp@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: Strange problem with SCTP+IPv6
Date: Tue, 23 Jun 2020 18:21:43 -0300 [thread overview]
Message-ID: <20200623212143.GR2491@localhost.localdomain> (raw)
In-Reply-To: <20200623161756.GE3235@minyard.net>
On Tue, Jun 23, 2020 at 11:17:56AM -0500, Corey Minyard wrote:
> On Tue, Jun 23, 2020 at 01:17:28PM +0000, David Laight wrote:
> > From: Marcelo Ricardo Leitner
> > > Sent: 22 June 2020 19:33
> > > On Mon, Jun 22, 2020 at 08:01:24PM +0200, Michael Tuexen wrote:
> > > > > On 22. Jun 2020, at 18:57, Corey Minyard <minyard@acm.org> wrote:
> > > > >
> > > > > On Mon, Jun 22, 2020 at 08:01:23PM +0800, Xin Long wrote:
> > > > >> On Sun, Jun 21, 2020 at 11:56 PM Corey Minyard <minyard@acm.org> wrote:
> > > > >>>
> > > > >>> I've stumbled upon a strange problem with SCTP and IPv6. If I create an
> > > > >>> sctp listening socket on :: and set the IPV6_V6ONLY socket option on it,
> > > > >>> then I make a connection to it using ::1, the connection will drop after
> > > > >>> 2.5 seconds with an ECONNRESET error.
> > > > >>>
> > > > >>> It only happens on SCTP, it doesn't have the issue if you connect to a
> > > > >>> full IPv6 address instead of ::1, and it doesn't happen if you don't
> > > > >>> set IPV6_V6ONLY. I have verified current end of tree kernel.org.
> > > > >>> I tried on an ARM system and x86_64.
> > > > >>>
> > > > >>> I haven't dug into the kernel to see if I could find anything yet, but I
> > > > >>> thought I would go ahead and report it. I am attaching a reproducer.
> > > > >>> Basically, compile the following code:
> > > > >> The code only set IPV6_V6ONLY on server side, so the client side will
> > > > >> still bind all the local ipv4 addresses (as you didn't call bind() to
> > > > >> bind any specific addresses ). Then after the connection is created,
> > > > >> the client will send HB on the v4 paths to the server. The server
> > > > >> will abort the connection, as it can't support v4.
> > > > >>
> > > > >> So you can work around it by either:
> > > > >>
> > > > >> - set IPV6_V6ONLY on client side.
> > > > >>
> > > > >> or
> > > > >>
> > > > >> - bind to the specific v6 addresses on the client side.
> > > > >>
> > > > >> I don't see RFC said something about this.
> > > > >> So it may not be a good idea to change the current behaviour
> > > > >> to not establish the connection in this case, which may cause regression.
> > > > >
> > > > > Ok, I understand this. It's a little strange, but I see why it works
> > > > > this way.
> > > > I don't. I would expect it to work as I described in my email.
> > > > Could someone explain me how and why it is behaving different from
> > > > my expectation?
> > >
> > > It looks like a bug to me. Testing with this test app here, I can see
> > > the INIT_ACK being sent with a bunch of ipv4 addresses in it and
> > > that's unexpected for a v6only socket. As is, it's the server saying
> > > "I'm available at these other addresses too, but not."
> >
> > Does it even make sense to mix IPv4 and IPv6 addresses on the same
> > connection?
> > I don't remember ever seeing both types of address in a message,
> > but may not have looked.
>
> That's an interesting question. Do the RFCs say anything? I would
> assume it was ok unless ipv6only was set.
>
> >
> > I also wonder whether the connection should be dropped for an error
> > response on a path that has never been validated.
>
> That actually bothered me a bit more. Shouldn't it stay up if any path
> is up? That's kind of the whole point of multihoming.
Michael explained it on the other email. What he described is what I
observed in my tests.
>
> >
> > OTOH the whole 'multi-homing' part of SCTP sucks.
>
> I don't think so.
>
> > The IP addresses a server needs to bind to depend on where the
> > incoming connection will come from.
> > A local connection may be able to use a 192.168.x.x address
> > but a remote connection must not - as it may be defined locally
> > at the remote system.
> > But both connections can come into the public (routable) address.
> > We have to tell customers to explicitly configure the local IP
> > addresses - which means the application has to know what they are.
> > Fortunately these apps are pretty static - usually M3UA.
>
> Umm, no, If you have a private address, it better be behind a firewall,
> and the firewall should handle rewriting the packet to fix the addresses.
>
> It doesn't appear that Linux netfilter does this. There is a TODO in
> the code for this. But that's how it *should* work.
Right, we don't support SCTP aware NAT [1].
1.https://tools.ietf.org/html/draft-stewart-behave-sctpnat-04
Marcelo
>
> -corey
>
> >
> > David
> >
> > -
> > Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
> > Registration No: 1397386 (Wales)
> >
WARNING: multiple messages have this Message-ID (diff)
From: 'Marcelo Ricardo Leitner' <marcelo.leitner@gmail.com>
To: Corey Minyard <minyard@acm.org>
Cc: David Laight <David.Laight@aculab.com>,
Michael Tuexen <Michael.Tuexen@lurchi.franken.de>,
Xin Long <lucien.xin@gmail.com>,
Vlad Yasevich <vyasevich@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
"linux-sctp@vger.kernel.org" <linux-sctp@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: Strange problem with SCTP+IPv6
Date: Tue, 23 Jun 2020 21:21:43 +0000 [thread overview]
Message-ID: <20200623212143.GR2491@localhost.localdomain> (raw)
In-Reply-To: <20200623161756.GE3235@minyard.net>
On Tue, Jun 23, 2020 at 11:17:56AM -0500, Corey Minyard wrote:
> On Tue, Jun 23, 2020 at 01:17:28PM +0000, David Laight wrote:
> > From: Marcelo Ricardo Leitner
> > > Sent: 22 June 2020 19:33
> > > On Mon, Jun 22, 2020 at 08:01:24PM +0200, Michael Tuexen wrote:
> > > > > On 22. Jun 2020, at 18:57, Corey Minyard <minyard@acm.org> wrote:
> > > > >
> > > > > On Mon, Jun 22, 2020 at 08:01:23PM +0800, Xin Long wrote:
> > > > >> On Sun, Jun 21, 2020 at 11:56 PM Corey Minyard <minyard@acm.org> wrote:
> > > > >>>
> > > > >>> I've stumbled upon a strange problem with SCTP and IPv6. If I create an
> > > > >>> sctp listening socket on :: and set the IPV6_V6ONLY socket option on it,
> > > > >>> then I make a connection to it using ::1, the connection will drop after
> > > > >>> 2.5 seconds with an ECONNRESET error.
> > > > >>>
> > > > >>> It only happens on SCTP, it doesn't have the issue if you connect to a
> > > > >>> full IPv6 address instead of ::1, and it doesn't happen if you don't
> > > > >>> set IPV6_V6ONLY. I have verified current end of tree kernel.org.
> > > > >>> I tried on an ARM system and x86_64.
> > > > >>>
> > > > >>> I haven't dug into the kernel to see if I could find anything yet, but I
> > > > >>> thought I would go ahead and report it. I am attaching a reproducer.
> > > > >>> Basically, compile the following code:
> > > > >> The code only set IPV6_V6ONLY on server side, so the client side will
> > > > >> still bind all the local ipv4 addresses (as you didn't call bind() to
> > > > >> bind any specific addresses ). Then after the connection is created,
> > > > >> the client will send HB on the v4 paths to the server. The server
> > > > >> will abort the connection, as it can't support v4.
> > > > >>
> > > > >> So you can work around it by either:
> > > > >>
> > > > >> - set IPV6_V6ONLY on client side.
> > > > >>
> > > > >> or
> > > > >>
> > > > >> - bind to the specific v6 addresses on the client side.
> > > > >>
> > > > >> I don't see RFC said something about this.
> > > > >> So it may not be a good idea to change the current behaviour
> > > > >> to not establish the connection in this case, which may cause regression.
> > > > >
> > > > > Ok, I understand this. It's a little strange, but I see why it works
> > > > > this way.
> > > > I don't. I would expect it to work as I described in my email.
> > > > Could someone explain me how and why it is behaving different from
> > > > my expectation?
> > >
> > > It looks like a bug to me. Testing with this test app here, I can see
> > > the INIT_ACK being sent with a bunch of ipv4 addresses in it and
> > > that's unexpected for a v6only socket. As is, it's the server saying
> > > "I'm available at these other addresses too, but not."
> >
> > Does it even make sense to mix IPv4 and IPv6 addresses on the same
> > connection?
> > I don't remember ever seeing both types of address in a message,
> > but may not have looked.
>
> That's an interesting question. Do the RFCs say anything? I would
> assume it was ok unless ipv6only was set.
>
> >
> > I also wonder whether the connection should be dropped for an error
> > response on a path that has never been validated.
>
> That actually bothered me a bit more. Shouldn't it stay up if any path
> is up? That's kind of the whole point of multihoming.
Michael explained it on the other email. What he described is what I
observed in my tests.
>
> >
> > OTOH the whole 'multi-homing' part of SCTP sucks.
>
> I don't think so.
>
> > The IP addresses a server needs to bind to depend on where the
> > incoming connection will come from.
> > A local connection may be able to use a 192.168.x.x address
> > but a remote connection must not - as it may be defined locally
> > at the remote system.
> > But both connections can come into the public (routable) address.
> > We have to tell customers to explicitly configure the local IP
> > addresses - which means the application has to know what they are.
> > Fortunately these apps are pretty static - usually M3UA.
>
> Umm, no, If you have a private address, it better be behind a firewall,
> and the firewall should handle rewriting the packet to fix the addresses.
>
> It doesn't appear that Linux netfilter does this. There is a TODO in
> the code for this. But that's how it *should* work.
Right, we don't support SCTP aware NAT [1].
1.https://tools.ietf.org/html/draft-stewart-behave-sctpnat-04
Marcelo
>
> -corey
>
> >
> > David
> >
> > -
> > Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
> > Registration No: 1397386 (Wales)
> >
next prev parent reply other threads:[~2020-06-23 21:21 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-21 15:56 Strange problem with SCTP+IPv6 Corey Minyard
2020-06-21 15:56 ` Corey Minyard
2020-06-22 11:52 ` Xin Long
2020-06-22 12:01 ` Xin Long
2020-06-22 12:32 ` Michael Tuexen
2020-06-22 12:32 ` Michael Tuexen
2020-06-22 16:57 ` Corey Minyard
2020-06-22 16:57 ` Corey Minyard
2020-06-22 18:01 ` Michael Tuexen
2020-06-22 18:01 ` Michael Tuexen
2020-06-22 18:32 ` Marcelo Ricardo Leitner
2020-06-22 18:32 ` Marcelo Ricardo Leitner
2020-06-22 18:34 ` Michael Tuexen
2020-06-22 18:34 ` Michael Tuexen
2020-06-23 10:13 ` Xin Long
2020-06-23 10:13 ` Xin Long
2020-06-23 13:29 ` Corey Minyard
2020-06-23 13:29 ` Corey Minyard
2020-06-23 15:40 ` Xin Long
2020-06-23 15:40 ` Xin Long
2020-06-23 16:00 ` Corey Minyard
2020-06-23 16:00 ` Corey Minyard
2020-06-24 6:58 ` Xin Long
2020-06-24 6:58 ` Xin Long
2020-06-26 16:13 ` David Laight
2020-06-26 16:13 ` David Laight
2020-06-26 16:27 ` Michael Tuexen
2020-06-26 16:27 ` Michael Tuexen
2020-06-23 13:17 ` David Laight
2020-06-23 16:04 ` [PATCH] sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket minyard
2020-06-23 16:04 ` minyard
2020-06-24 20:31 ` Marcelo Ricardo Leitner
2020-06-24 20:31 ` Marcelo Ricardo Leitner
2020-06-24 20:34 ` [PATCH net] " Marcelo Ricardo Leitner
2020-06-24 20:34 ` Marcelo Ricardo Leitner
2020-06-24 20:53 ` Corey Minyard
2020-06-24 20:53 ` Corey Minyard
2020-06-25 23:12 ` David Miller
2020-06-25 23:12 ` David Miller
2020-06-23 16:17 ` Strange problem with SCTP+IPv6 Corey Minyard
2020-06-23 16:17 ` Corey Minyard
2020-06-23 21:21 ` 'Marcelo Ricardo Leitner' [this message]
2020-06-23 21:21 ` 'Marcelo Ricardo Leitner'
2020-06-23 21:24 ` Michael Tuexen
2020-06-23 21:24 ` Michael Tuexen
2020-06-23 21:31 ` Marcelo Ricardo Leitner
2020-06-23 21:31 ` Marcelo Ricardo Leitner
2020-06-23 21:48 ` Michael Tuexen
2020-06-23 21:48 ` Michael Tuexen
2020-06-24 7:25 ` Xin Long
2020-06-24 7:25 ` Xin Long
2020-06-24 9:18 ` Michael Tuexen
2020-06-24 9:18 ` Michael Tuexen
2020-06-23 17:09 ` Michael Tuexen
2020-06-23 17:09 ` Michael Tuexen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200623212143.GR2491@localhost.localdomain \
--to=marcelo.leitner@gmail.com \
--cc=David.Laight@aculab.com \
--cc=Michael.Tuexen@lurchi.franken.de \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sctp@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=minyard@acm.org \
--cc=nhorman@tuxdriver.com \
--cc=vyasevich@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.