Use IPv6 SAS algorithm for reflected ICMPv6 datagrams in NAT64
ClosedPublic
Actions

Authored by ae on Dec 2 2019, 11:39 AM.

Details

Reviewers

melifaro

Commits

rS355650: Follow RFC 4443 p2.2 and always use own addresses for reflected ICMPv6

Summary

NAT64 module uses own icmp6_reflect() function to be able make better accounting and use deferred and direct output.
It has used destination IPv6 address as source for reflected ICMPv6 datagrams. This mostly works, but can confuse some software.
E.g. traceroute's output looks wired.

[me@mylaptop ~]traceroute6 -w1 -n 64:ff9b::8.8.8.8
traceroute6 to 64:ff9b::8.8.8.8 (64:ff9b::808:808) from 2001:67c:64:49:a421:5045:508d:495a, 64 hops max, 12 byte packets
 1  64:ff9b::808:808  1.732 ms  2.166 ms  2.198 ms
 2  64:ff9b::c100:605  2.131 ms  2.308 ms  3.216 ms
 3  64:ff9b::50f9:d0f7  3.115 ms  4.114 ms  3.657 ms
 4  64:ff9b::6caa:f1c1  3.892 ms
    64:ff9b::6caa:f1a1  4.034 ms  5.465 ms
 5  64:ff9b::6caa:ec87  5.895 ms
    64:ff9b::480e:eef5  4.412 ms
    64:ff9b::d8ef:310d  4.358 ms
 6  64:ff9b::808:808  4.418 ms  3.498 ms  3.247 ms

This patch add:

ability use standard method to select source address for such datagrams
honor IP_STEALTH kernel option and don't decrement TTL/HLIM

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

ae created this revision.Dec 2 2019, 11:39 AM

Herald added a subscriber: imp. · View Herald TranscriptDec 2 2019, 11:39 AM

Harbormaster completed remote builds in B27884: Diff 65119.Dec 2 2019, 11:39 AM

melifaro added a subscriber: melifaro.Dec 2 2019, 11:51 AM

melifaro added inline comments.

sys/netpfil/ipfw/nat64/nat64_translate.c
97 ↗	(On Diff #65119)	Do we want it to be const? I'd expect it to be determined based on the `V_ipstealth` value.
714 ↗	(On Diff #65119)	Worth referencing RFC 4443 2.2 just in case?
720 ↗	(On Diff #65119)	RFC 4443 2.2b: "the Source Address of the ICMPv6 packet MUST be a unicast address belonging to the node"
1217 ↗	(On Diff #65119)	Nit: why explicit false? style(9) doesn't require that

melifaro added a reviewer: melifaro.Dec 2 2019, 12:03 PM

melifaro added inline comments.Dec 2 2019, 12:59 PM

sys/netpfil/ipfw/nat64/nat64_translate.c
637 ↗	(On Diff #65119)	Worth having another variable ("photo") for the result?

Update the patch.

Since ipstealth can be turned off/on in run-time, use the pointer to
specific kernel variable.
Initialize them explicitly for direct case, since variables are virtualized.

Harbormaster completed remote builds in B28060: Diff 65455.Dec 10 2019, 1:19 PM

ae marked 3 inline comments as done.Dec 10 2019, 1:21 PM

melifaro accepted this revision.Dec 10 2019, 1:34 PM

This revision is now accepted and ready to land.Dec 10 2019, 1:34 PM

Closed by commit rS355650: Follow RFC 4443 p2.2 and always use own addresses for reflected ICMPv6 (authored by ae). · Explain WhyDec 12 2019, 1:29 PM

This revision was automatically updated to reflect the committed changes.

ae added a commit: rS355650: Follow RFC 4443 p2.2 and always use own addresses for reflected ICMPv6.