| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 23 Jun 2020 18:31:02 -0300
From: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
To: Michael Tuexen <Michael.Tuexen@...chi.franken.de>
Cc: Corey Minyard <minyard@....org>,
David Laight <David.Laight@...lab.com>,
Xin Long <lucien.xin@...il.com>,
Vlad Yasevich <vyasevich@...il.com>,
Neil Horman <nhorman@...driver.com>,
"linux-sctp@...r.kernel.org" <linux-sctp@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: Strange problem with SCTP+IPv6
On Tue, Jun 23, 2020 at 11:24:59PM +0200, Michael Tuexen wrote:
> > On 23. Jun 2020, at 23:21, Marcelo Ricardo Leitner <marcelo.leitner@...il.com> wrote:
> >
> > On Tue, Jun 23, 2020 at 11:17:56AM -0500, Corey Minyard wrote:
> >> On Tue, Jun 23, 2020 at 01:17:28PM +0000, David Laight wrote:
> >>> From: Marcelo Ricardo Leitner
> >>>> Sent: 22 June 2020 19:33
> >>>> On Mon, Jun 22, 2020 at 08:01:24PM +0200, Michael Tuexen wrote:
> >>>>>> On 22. Jun 2020, at 18:57, Corey Minyard <minyard@....org> wrote:
> >>>>>>
> >>>>>> On Mon, Jun 22, 2020 at 08:01:23PM +0800, Xin Long wrote:
> >>>>>>> On Sun, Jun 21, 2020 at 11:56 PM Corey Minyard <minyard@....org> wrote:
> >>>>>>>>
> >>>>>>>> I've stumbled upon a strange problem with SCTP and IPv6. If I create an
> >>>>>>>> sctp listening socket on :: and set the IPV6_V6ONLY socket option on it,
> >>>>>>>> then I make a connection to it using ::1, the connection will drop after
> >>>>>>>> 2.5 seconds with an ECONNRESET error.
> >>>>>>>>
> >>>>>>>> It only happens on SCTP, it doesn't have the issue if you connect to a
> >>>>>>>> full IPv6 address instead of ::1, and it doesn't happen if you don't
> >>>>>>>> set IPV6_V6ONLY. I have verified current end of tree kernel.org.
> >>>>>>>> I tried on an ARM system and x86_64.
> >>>>>>>>
> >>>>>>>> I haven't dug into the kernel to see if I could find anything yet, but I
> >>>>>>>> thought I would go ahead and report it. I am attaching a reproducer.
> >>>>>>>> Basically, compile the following code:
> >>>>>>> The code only set IPV6_V6ONLY on server side, so the client side will
> >>>>>>> still bind all the local ipv4 addresses (as you didn't call bind() to
> >>>>>>> bind any specific addresses ). Then after the connection is created,
> >>>>>>> the client will send HB on the v4 paths to the server. The server
> >>>>>>> will abort the connection, as it can't support v4.
> >>>>>>>
> >>>>>>> So you can work around it by either:
> >>>>>>>
> >>>>>>> - set IPV6_V6ONLY on client side.
> >>>>>>>
> >>>>>>> or
> >>>>>>>
> >>>>>>> - bind to the specific v6 addresses on the client side.
> >>>>>>>
> >>>>>>> I don't see RFC said something about this.
> >>>>>>> So it may not be a good idea to change the current behaviour
> >>>>>>> to not establish the connection in this case, which may cause regression.
> >>>>>>
> >>>>>> Ok, I understand this. It's a little strange, but I see why it works
> >>>>>> this way.
> >>>>> I don't. I would expect it to work as I described in my email.
> >>>>> Could someone explain me how and why it is behaving different from
> >>>>> my expectation?
> >>>>
> >>>> It looks like a bug to me. Testing with this test app here, I can see
> >>>> the INIT_ACK being sent with a bunch of ipv4 addresses in it and
> >>>> that's unexpected for a v6only socket. As is, it's the server saying
> >>>> "I'm available at these other addresses too, but not."
> >>>
> >>> Does it even make sense to mix IPv4 and IPv6 addresses on the same
> >>> connection?
> >>> I don't remember ever seeing both types of address in a message,
> >>> but may not have looked.
> >>
> >> That's an interesting question. Do the RFCs say anything? I would
> >> assume it was ok unless ipv6only was set.
> >>
> >>>
> >>> I also wonder whether the connection should be dropped for an error
> >>> response on a path that has never been validated.
> >>
> >> That actually bothered me a bit more. Shouldn't it stay up if any path
> >> is up? That's kind of the whole point of multihoming.
> >
> > Michael explained it on the other email. What he described is what I
> > observed in my tests.
> >
> >>
> >>>
> >>> OTOH the whole 'multi-homing' part of SCTP sucks.
> >>
> >> I don't think so.
> >>
> >>> The IP addresses a server needs to bind to depend on where the
> >>> incoming connection will come from.
> >>> A local connection may be able to use a 192.168.x.x address
> >>> but a remote connection must not - as it may be defined locally
> >>> at the remote system.
> >>> But both connections can come into the public (routable) address.
> >>> We have to tell customers to explicitly configure the local IP
> >>> addresses - which means the application has to know what they are.
> >>> Fortunately these apps are pretty static - usually M3UA.
> >>
> >> Umm, no, If you have a private address, it better be behind a firewall,
> >> and the firewall should handle rewriting the packet to fix the addresses.
> >>
> >> It doesn't appear that Linux netfilter does this. There is a TODO in
> >> the code for this. But that's how it *should* work.
> >
> > Right, we don't support SCTP aware NAT [1].
> >
> > 1.https://tools.ietf.org/html/draft-stewart-behave-sctpnat-04
> The current version is: https://tools.ietf.org/html/draft-ietf-tsvwg-natsupp-16
Thanks!
>
> Another possibility for NAT traversal is UDP encapsulation...
Also not supported.. :-]
Best regards,
Marcelo
>
> Best regards
> Michael
> >
> > Marcelo
> >
> >>
> >> -corey
> >>
> >>>
> >>> David
> >>>
> >>> -
> >>> Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
> >>> Registration No: 1397386 (Wales)
> >>>
>
Powered by blists - more mailing lists