Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp43088ybt; Tue, 23 Jun 2020 14:51:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzfPNLSsxgn6H8XDdOtrsOcrjhXMsngfR2p8Z9PZL6yNhs97s6E+cGcpVNykssXOOwkvkJ5 X-Received: by 2002:a17:906:3152:: with SMTP id e18mr8512413eje.137.1592949094129; Tue, 23 Jun 2020 14:51:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592949094; cv=none; d=google.com; s=arc-20160816; b=ZjLadPYiqa+xRbFlZz+baCRmxJmZPBqgVtiOkxaxDkwgypOkkWYJzgzArSydzCHQdk ckyukriYgnG3mOX+8xjKhAHp2g/U56bc0U0Aw5LFKJ68IFIxr5awE5sjGphk4LZwEJrh 98os5tZph1Pg1lP4YUe/3Kix2GajpWDTmpxqjM17x0ArgPYAGl0BhACocLRxHcOUP7bo vahOnaaTpk6gqK/H6/KaI2ddIba73mIpPCPXWkfcftCfh+/v01bkvQdFt+YmcHsgA4Xf r9g4Pf0TymCjLevfCAfS5VgVxKFxeSla6EvZOC1vSBXLzYndENtIHwf2+NWtE+VnBmC+ Gv1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version; bh=FuR8zNUzHNCFi9lQBdnhpi2dbiQzKJlY0wocsBa6kw8=; b=w8v3aZbEPEt0ycS41NQHm2M1WaxsJxNyGqxGiQaRsY4BJpm9odXxxloNvOU90hCGOa B/54zK6Y33bR0aTb7wnkeR+dh5hQxoVD+I9llUJJYYcRT/A3OrkNcIYER2Svd4aAxEaQ ZEkxOURm26ukv+RtTXWI+fFU34QjX/VTWUX40FCAfrNtv8BoJaL1DkFmXPLL1NxPf3q2 u9KdMFZexMegdP9jVWW7XSYYCYZWxCz+NjBrfxUihdDgPBCgNWa5EZGHGUOx43qPlDNO mRALbI+GpWCkLcX2/IaQmvVQ2wNOIE3/cn1WSGFqipFC9U8Ejl2Kk4inrbCVCDvvtDPq hjSw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q26si12462743edi.415.2020.06.23.14.51.10; Tue, 23 Jun 2020 14:51:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387980AbgFWVsy convert rfc822-to-8bit (ORCPT + 99 others); Tue, 23 Jun 2020 17:48:54 -0400 Received: from mail-n.franken.de ([193.175.24.27]:49214 "EHLO drew.franken.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S2387455AbgFWVsy (ORCPT ); Tue, 23 Jun 2020 17:48:54 -0400 Received: from [IPv6:2a02:8109:1140:c3d:89d7:47b7:d524:7e59] (unknown [IPv6:2a02:8109:1140:c3d:89d7:47b7:d524:7e59]) (Authenticated sender: lurchi) by drew.franken.de (Postfix) with ESMTPSA id 968BC7220B819; Tue, 23 Jun 2020 23:48:49 +0200 (CEST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Subject: Re: Strange problem with SCTP+IPv6 From: Michael Tuexen In-Reply-To: <20200623213102.GS2491@localhost.localdomain> Date: Tue, 23 Jun 2020 23:48:48 +0200 Cc: Corey Minyard , David Laight , Xin Long , Vlad Yasevich , Neil Horman , "linux-sctp@vger.kernel.org" , LKML Content-Transfer-Encoding: 8BIT Message-Id: <42823598-7B01-4C62-B896-ACC4449F3AFF@lurchi.franken.de> References: <20200621155604.GA23135@minyard.net> <20200622165759.GA3235@minyard.net> <4B68D06C-00F4-42C3-804A-B5531AABCE21@lurchi.franken.de> <20200622183253.GQ2491@localhost.localdomain> <20200623161756.GE3235@minyard.net> <20200623212143.GR2491@localhost.localdomain> <20200623213102.GS2491@localhost.localdomain> To: Marcelo Ricardo Leitner X-Mailer: Apple Mail (2.3608.80.23.2.2) X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=disabled version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mail-n.franken.de Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On 23. Jun 2020, at 23:31, Marcelo Ricardo Leitner wrote: > > On Tue, Jun 23, 2020 at 11:24:59PM +0200, Michael Tuexen wrote: >>> On 23. Jun 2020, at 23:21, Marcelo Ricardo Leitner wrote: >>> >>> On Tue, Jun 23, 2020 at 11:17:56AM -0500, Corey Minyard wrote: >>>> On Tue, Jun 23, 2020 at 01:17:28PM +0000, David Laight wrote: >>>>> From: Marcelo Ricardo Leitner >>>>>> Sent: 22 June 2020 19:33 >>>>>> On Mon, Jun 22, 2020 at 08:01:24PM +0200, Michael Tuexen wrote: >>>>>>>> On 22. Jun 2020, at 18:57, Corey Minyard wrote: >>>>>>>> >>>>>>>> On Mon, Jun 22, 2020 at 08:01:23PM +0800, Xin Long wrote: >>>>>>>>> On Sun, Jun 21, 2020 at 11:56 PM Corey Minyard wrote: >>>>>>>>>> >>>>>>>>>> I've stumbled upon a strange problem with SCTP and IPv6. If I create an >>>>>>>>>> sctp listening socket on :: and set the IPV6_V6ONLY socket option on it, >>>>>>>>>> then I make a connection to it using ::1, the connection will drop after >>>>>>>>>> 2.5 seconds with an ECONNRESET error. >>>>>>>>>> >>>>>>>>>> It only happens on SCTP, it doesn't have the issue if you connect to a >>>>>>>>>> full IPv6 address instead of ::1, and it doesn't happen if you don't >>>>>>>>>> set IPV6_V6ONLY. I have verified current end of tree kernel.org. >>>>>>>>>> I tried on an ARM system and x86_64. >>>>>>>>>> >>>>>>>>>> I haven't dug into the kernel to see if I could find anything yet, but I >>>>>>>>>> thought I would go ahead and report it. I am attaching a reproducer. >>>>>>>>>> Basically, compile the following code: >>>>>>>>> The code only set IPV6_V6ONLY on server side, so the client side will >>>>>>>>> still bind all the local ipv4 addresses (as you didn't call bind() to >>>>>>>>> bind any specific addresses ). Then after the connection is created, >>>>>>>>> the client will send HB on the v4 paths to the server. The server >>>>>>>>> will abort the connection, as it can't support v4. >>>>>>>>> >>>>>>>>> So you can work around it by either: >>>>>>>>> >>>>>>>>> - set IPV6_V6ONLY on client side. >>>>>>>>> >>>>>>>>> or >>>>>>>>> >>>>>>>>> - bind to the specific v6 addresses on the client side. >>>>>>>>> >>>>>>>>> I don't see RFC said something about this. >>>>>>>>> So it may not be a good idea to change the current behaviour >>>>>>>>> to not establish the connection in this case, which may cause regression. >>>>>>>> >>>>>>>> Ok, I understand this. It's a little strange, but I see why it works >>>>>>>> this way. >>>>>>> I don't. I would expect it to work as I described in my email. >>>>>>> Could someone explain me how and why it is behaving different from >>>>>>> my expectation? >>>>>> >>>>>> It looks like a bug to me. Testing with this test app here, I can see >>>>>> the INIT_ACK being sent with a bunch of ipv4 addresses in it and >>>>>> that's unexpected for a v6only socket. As is, it's the server saying >>>>>> "I'm available at these other addresses too, but not." >>>>> >>>>> Does it even make sense to mix IPv4 and IPv6 addresses on the same >>>>> connection? >>>>> I don't remember ever seeing both types of address in a message, >>>>> but may not have looked. >>>> >>>> That's an interesting question. Do the RFCs say anything? I would >>>> assume it was ok unless ipv6only was set. >>>> >>>>> >>>>> I also wonder whether the connection should be dropped for an error >>>>> response on a path that has never been validated. >>>> >>>> That actually bothered me a bit more. Shouldn't it stay up if any path >>>> is up? That's kind of the whole point of multihoming. >>> >>> Michael explained it on the other email. What he described is what I >>> observed in my tests. >>> >>>> >>>>> >>>>> OTOH the whole 'multi-homing' part of SCTP sucks. >>>> >>>> I don't think so. >>>> >>>>> The IP addresses a server needs to bind to depend on where the >>>>> incoming connection will come from. >>>>> A local connection may be able to use a 192.168.x.x address >>>>> but a remote connection must not - as it may be defined locally >>>>> at the remote system. >>>>> But both connections can come into the public (routable) address. >>>>> We have to tell customers to explicitly configure the local IP >>>>> addresses - which means the application has to know what they are. >>>>> Fortunately these apps are pretty static - usually M3UA. >>>> >>>> Umm, no, If you have a private address, it better be behind a firewall, >>>> and the firewall should handle rewriting the packet to fix the addresses. >>>> >>>> It doesn't appear that Linux netfilter does this. There is a TODO in >>>> the code for this. But that's how it *should* work. >>> >>> Right, we don't support SCTP aware NAT [1]. >>> >>> 1.https://tools.ietf.org/html/draft-stewart-behave-sctpnat-04 >> The current version is: https://tools.ietf.org/html/draft-ietf-tsvwg-natsupp-16 > > Thanks! > >> >> Another possibility for NAT traversal is UDP encapsulation... > > Also not supported.. :-] But maybe someone wants to implement it. It is supported by FreeBSD, if you need a peer for testing. Or the userland stack usrsctp supports it. Then you do not need root privileges to run it. Best regards Michael > > Best regards, > Marcelo > >> >> Best regards >> Michael >>> >>> Marcelo >>> >>>> >>>> -corey >>>> >>>>> >>>>> David >>>>> >>>>> - >>>>> Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK >>>>> Registration No: 1397386 (Wales) >>>>> >>