linux-sctp.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>
To: Xin Long <lucien.xin@gmail.com>
Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
	Corey Minyard <minyard@acm.org>,
	David Laight <David.Laight@aculab.com>,
	Vlad Yasevich <vyasevich@gmail.com>,
	Neil Horman <nhorman@tuxdriver.com>,
	"linux-sctp@vger.kernel.org" <linux-sctp@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>
Subject: Re: Strange problem with SCTP+IPv6
Date: Wed, 24 Jun 2020 09:18:09 +0000	[thread overview]
Message-ID: <6EA67F12-F19A-4C60-A652-B08C78A36CBA@lurchi.franken.de> (raw)
In-Reply-To: <CADvbK_cXsS7_kYifCqMRcedtNgG0hNmgrf33+hkkjmK7xjAP=A@mail.gmail.com>

> On 24. Jun 2020, at 09:25, Xin Long <lucien.xin@gmail.com> wrote:
> 
> On Wed, Jun 24, 2020 at 5:48 AM Michael Tuexen
> <michael.tuexen@lurchi.franken.de> wrote:
>> 
>>> On 23. Jun 2020, at 23:31, Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> wrote:
>>> 
>>> On Tue, Jun 23, 2020 at 11:24:59PM +0200, Michael Tuexen wrote:
>>>>> On 23. Jun 2020, at 23:21, Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> wrote:
>>>>> 
>>>>> On Tue, Jun 23, 2020 at 11:17:56AM -0500, Corey Minyard wrote:
>>>>>> On Tue, Jun 23, 2020 at 01:17:28PM +0000, David Laight wrote:
>>>>>>> From: Marcelo Ricardo Leitner
>>>>>>>> Sent: 22 June 2020 19:33
>>>>>>>> On Mon, Jun 22, 2020 at 08:01:24PM +0200, Michael Tuexen wrote:
>>>>>>>>>> On 22. Jun 2020, at 18:57, Corey Minyard <minyard@acm.org> wrote:
>>>>>>>>>> 
>>>>>>>>>> On Mon, Jun 22, 2020 at 08:01:23PM +0800, Xin Long wrote:
>>>>>>>>>>> On Sun, Jun 21, 2020 at 11:56 PM Corey Minyard <minyard@acm.org> wrote:
>>>>>>>>>>>> 
>>>>>>>>>>>> I've stumbled upon a strange problem with SCTP and IPv6.  If I create an
>>>>>>>>>>>> sctp listening socket on :: and set the IPV6_V6ONLY socket option on it,
>>>>>>>>>>>> then I make a connection to it using ::1, the connection will drop after
>>>>>>>>>>>> 2.5 seconds with an ECONNRESET error.
>>>>>>>>>>>> 
>>>>>>>>>>>> It only happens on SCTP, it doesn't have the issue if you connect to a
>>>>>>>>>>>> full IPv6 address instead of ::1, and it doesn't happen if you don't
>>>>>>>>>>>> set IPV6_V6ONLY.  I have verified current end of tree kernel.org.
>>>>>>>>>>>> I tried on an ARM system and x86_64.
>>>>>>>>>>>> 
>>>>>>>>>>>> I haven't dug into the kernel to see if I could find anything yet, but I
>>>>>>>>>>>> thought I would go ahead and report it.  I am attaching a reproducer.
>>>>>>>>>>>> Basically, compile the following code:
>>>>>>>>>>> The code only set IPV6_V6ONLY on server side, so the client side will
>>>>>>>>>>> still bind all the local ipv4 addresses (as you didn't call bind() to
>>>>>>>>>>> bind any specific addresses ). Then after the connection is created,
>>>>>>>>>>> the client will send HB on the v4 paths to the server. The server
>>>>>>>>>>> will abort the connection, as it can't support v4.
>>>>>>>>>>> 
>>>>>>>>>>> So you can work around it by either:
>>>>>>>>>>> 
>>>>>>>>>>> - set IPV6_V6ONLY on client side.
>>>>>>>>>>> 
>>>>>>>>>>> or
>>>>>>>>>>> 
>>>>>>>>>>> - bind to the specific v6 addresses on the client side.
>>>>>>>>>>> 
>>>>>>>>>>> I don't see RFC said something about this.
>>>>>>>>>>> So it may not be a good idea to change the current behaviour
>>>>>>>>>>> to not establish the connection in this case, which may cause regression.
>>>>>>>>>> 
>>>>>>>>>> Ok, I understand this.  It's a little strange, but I see why it works
>>>>>>>>>> this way.
>>>>>>>>> I don't. I would expect it to work as I described in my email.
>>>>>>>>> Could someone explain me how and why it is behaving different from
>>>>>>>>> my expectation?
>>>>>>>> 
>>>>>>>> It looks like a bug to me. Testing with this test app here, I can see
>>>>>>>> the INIT_ACK being sent with a bunch of ipv4 addresses in it and
>>>>>>>> that's unexpected for a v6only socket. As is, it's the server saying
>>>>>>>> "I'm available at these other addresses too, but not."
>>>>>>> 
>>>>>>> Does it even make sense to mix IPv4 and IPv6 addresses on the same
>>>>>>> connection?
>>>>>>> I don't remember ever seeing both types of address in a message,
>>>>>>> but may not have looked.
>>>>>> 
>>>>>> That's an interesting question.  Do the RFCs say anything?  I would
>>>>>> assume it was ok unless ipv6only was set.
>>>>>> 
>>>>>>> 
>>>>>>> I also wonder whether the connection should be dropped for an error
>>>>>>> response on a path that has never been validated.
>>>>>> 
>>>>>> That actually bothered me a bit more.  Shouldn't it stay up if any path
>>>>>> is up?  That's kind of the whole point of multihoming.
>>>>> 
>>>>> Michael explained it on the other email. What he described is what I
>>>>> observed in my tests.
>>>>> 
>>>>>> 
>>>>>>> 
>>>>>>> OTOH the whole 'multi-homing' part of SCTP sucks.
>>>>>> 
>>>>>> I don't think so.
>>>>>> 
>>>>>>> The IP addresses a server needs to bind to depend on where the
>>>>>>> incoming connection will come from.
>>>>>>> A local connection may be able to use a 192.168.x.x address
>>>>>>> but a remote connection must not - as it may be defined locally
>>>>>>> at the remote system.
>>>>>>> But both connections can come into the public (routable) address.
>>>>>>> We have to tell customers to explicitly configure the local IP
>>>>>>> addresses - which means the application has to know what they are.
>>>>>>> Fortunately these apps are pretty static - usually M3UA.
>>>>>> 
>>>>>> Umm, no,  If you have a private address, it better be behind a firewall,
>>>>>> and the firewall should handle rewriting the packet to fix the addresses.
>>>>>> 
>>>>>> It doesn't appear that Linux netfilter does this.  There is a TODO in
>>>>>> the code for this.  But that's how it *should* work.
>>>>> 
>>>>> Right, we don't support SCTP aware NAT [1].
>>>>> 
>>>>> 1.https://tools.ietf.org/html/draft-stewart-behave-sctpnat-04
>>>> The current version is: https://tools.ietf.org/html/draft-ietf-tsvwg-natsupp-16
>>> 
>>> Thanks!
>>> 
>>>> 
>>>> Another possibility for NAT traversal is UDP encapsulation...
>>> 
>>> Also not supported.. :-]
>> But maybe someone wants to implement it. It is supported by FreeBSD, if you
>> need a peer for testing. Or the userland stack usrsctp supports it. Then you
>> do not need root privileges to run it.
> You mean SCTP_REMOTE_UDP_ENCAPS_PORT sockopt, right?
> We have this in our to-do list. I mixed rfc6951 with the userland one.
> Will prioritize this feature. Thanks.
Great to hear. When implementing RFC 6951 support, please take
https://tools.ietf.org/html/draft-tuexen-tsvwg-sctp-udp-encaps-cons-02
into account. It is still valid and will be pushed further after RFC 4960bis
is done.

Best regards
Michael
> 
>> 
>> Best regards
>> Michael
>>> 
>>> Best regards,
>>> Marcelo
>>> 
>>>> 
>>>> Best regards
>>>> Michael
>>>>> 
>>>>> Marcelo
>>>>> 
>>>>>> 
>>>>>> -corey
>>>>>> 
>>>>>>> 
>>>>>>>  David
>>>>>>> 
>>>>>>> -
>>>>>>> Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
>>>>>>> Registration No: 1397386 (Wales)
>>>>>>> 
>>>> 
>> 

  reply	other threads:[~2020-06-24  9:18 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-21 15:56 Strange problem with SCTP+IPv6 Corey Minyard
2020-06-22 11:52 ` Xin Long
2020-06-22 12:32   ` Michael Tuexen
2020-06-22 16:57   ` Corey Minyard
2020-06-22 18:01     ` Michael Tuexen
2020-06-22 18:32       ` Marcelo Ricardo Leitner
2020-06-22 18:34         ` Michael Tuexen
2020-06-23 10:13           ` Xin Long
2020-06-23 13:29             ` Corey Minyard
2020-06-23 15:40               ` Xin Long
2020-06-23 16:00                 ` Corey Minyard
2020-06-24  6:58                   ` Xin Long
2020-06-26 16:13             ` David Laight
2020-06-26 16:27               ` Michael Tuexen
2020-06-23 13:17         ` David Laight
2020-06-23 16:04           ` [PATCH] sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket minyard
2020-06-24 20:31             ` Marcelo Ricardo Leitner
2020-06-24 20:34             ` [PATCH net] " Marcelo Ricardo Leitner
2020-06-24 20:53               ` Corey Minyard
2020-06-25 23:12               ` David Miller
2020-06-23 16:17           ` Strange problem with SCTP+IPv6 Corey Minyard
2020-06-23 21:21             ` 'Marcelo Ricardo Leitner'
2020-06-23 21:24               ` Michael Tuexen
2020-06-23 21:31                 ` Marcelo Ricardo Leitner
2020-06-23 21:48                   ` Michael Tuexen
2020-06-24  7:25                     ` Xin Long
2020-06-24  9:18                       ` Michael Tuexen [this message]
2020-06-23 17:09           ` Michael Tuexen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6EA67F12-F19A-4C60-A652-B08C78A36CBA@lurchi.franken.de \
    --to=michael.tuexen@lurchi.franken.de \
    --cc=David.Laight@aculab.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-sctp@vger.kernel.org \
    --cc=lucien.xin@gmail.com \
    --cc=marcelo.leitner@gmail.com \
    --cc=minyard@acm.org \
    --cc=nhorman@tuxdriver.com \
    --cc=vyasevich@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).