------------------------------------------------------------ revno: 6390 committer: Miika Komu <miika@xxxxxx> branch nick: hipl timestamp: Thu 2012-07-19 15:00:32 +0300 message: A bug fix and a documentation update to the relay functionality The HIP and ESP relay functionality are located in hipd and hipfw. The former forwards control plane and the latter data plane to overcome NAT devices that do not support e.g. Teredo-based penetration. This functionality was broken twice in hipfw. Firstly, a relay registration failed because the hipfw code didn't distinguish between a registration (destination HIT is the relay) and a relayed connection (destination HIT is not the relay). Now it does again. Secondly, the relay failed to forward the ESP data plane due to an initialisation failure. The hipfw initialised the corresponding iptables rules when it received a message from hipd indicating that the relay was enabled. While this supported dynamic initialisation, the hipfw had already lowered its privileges and consquently executing iptables failed. One possible way to solve the second issue would have been to require omitting privilege downgrade when using the relay but this would have been a bad idea from the view point of security. So, I decided to change the dynamic relay configuration option into a static command line option to avoid the chicken-and-egg problem with the hipfw. Now the HIP vs. ESP relay functionality is also decoupled which I believe is marginally more useful. This now identified in a more clear way in the manual as well. modified: doc/HOWTO.xml.in hipfw/conntrack.c hipfw/hipfw.c hipfw/hipfw_control.c hipfw/main.c -- lp:hipl https://code.launchpad.net/~hipl-core/hipl/trunk Your team HIPL core team is subscribed to branch lp:hipl. To unsubscribe from this branch go to https://code.launchpad.net/~hipl-core/hipl/trunk/+edit-subscription
=== modified file 'doc/HOWTO.xml.in' --- doc/HOWTO.xml.in 2012-07-13 13:16:17 +0000 +++ doc/HOWTO.xml.in 2012-07-19 12:00:32 +0000 @@ -1907,9 +1907,11 @@ <title>HIP Relay Mechanisms</title> <note><title>NOTE:</title> <para> - The HIP relay mechanisms are still under construction. - Therefore, the forwarding mechanisms presented herein do not work. Only - the relay service registration works. + The HIP relay mechanisms are experimental and you should always couple + it with the access control mechanisms of hipfw to avoid becoming an + open relay. Please also note that the control and data plane relaying + have to be enabled separately (the former in hipd and the latter in + hipfw). </para> </note> <abstract> @@ -1988,13 +1990,20 @@ </programlisting> </para></listitem> <listitem><para> - At the relay server, we have to indicate that we are willing to offer - relay service: + At the relay server, we have to indicate that we are willing to + offer HIP relay service (control plane only): <programlisting> hipconf daemon add service relay </programlisting> </para></listitem> <listitem><para> + If the relay server should forward also ESP (data plane), you must + enable it separately by restarting hipfw and include the -r option: + <programlisting> + hipfw -bklpFr + </programlisting> + </para></listitem> + <listitem><para> At the responder, we have to register to the relay server: <programlisting> hipconf daemon add server relay <RELAY-HIT> <RELAY-IP> <LIFETIME-IN-SECONDS> === modified file 'hipfw/conntrack.c' --- hipfw/conntrack.c 2012-05-12 10:21:32 +0000 +++ hipfw/conntrack.c 2012-07-19 12:00:32 +0000 @@ -938,7 +938,8 @@ uint32_t spi; const struct hip_esp_info *esp_info; - if (esp_relay && ctx->udp_encap_hdr) { + if (esp_relay && ctx->udp_encap_hdr && + !fw_hit_is_our(&common->hit_sender)) { HIP_ASSERT((hip_get_msg_type(common) == HIP_R2)); HIP_IFEL(!(relay_to = hip_get_param(common, HIP_PARAM_RELAY_TO)), -1, === modified file 'hipfw/hipfw.c' --- hipfw/hipfw.c 2012-05-12 10:21:32 +0000 +++ hipfw/hipfw.c 2012-07-19 12:00:32 +0000 @@ -508,6 +508,8 @@ midauth_init(); hipfw_midauth_update_nonces(); + hip_fw_init_esp_relay(); + HIP_IFEL(cert_init(), -1, "failed to load extension (cert)\n"); // Initializing local port cache database @@ -528,7 +530,8 @@ { int err = 0; - esp_relay = 1; + if (esp_relay == 0) + return 0; /* Required for ESP relay and might not be active */ if (!filter_traffic) { @@ -549,6 +552,11 @@ */ void hip_fw_uninit_esp_relay(void) { + if (esp_relay == 0) { + HIP_DEBUG("ESP relay was already uninitialized\n"); + return; + } + esp_relay = 0; if (restore_filter_traffic == 0) { @@ -645,6 +653,8 @@ fw_uninit_lsi_support(); hip_fw_uninit_conntrack(); + hip_fw_uninit_esp_relay(); + cert_uninit(); #ifdef CONFIG_HIP_PERFORMANCE === modified file 'hipfw/hipfw_control.c' --- hipfw/hipfw_control.c 2012-05-12 06:54:33 +0000 +++ hipfw/hipfw_control.c 2012-07-19 12:00:32 +0000 @@ -136,14 +136,12 @@ break; case HIP_MSG_OFFER_FULLRELAY: if (!esp_relay) { - HIP_DEBUG("Enabling ESP relay\n"); + HIP_ERROR("Enable ESP relay with option -r for hipfw!\n"); hip_fw_init_esp_relay(); - } else { - HIP_DEBUG("ESP relay already enabled\n"); } break; case HIP_MSG_CANCEL_FULLRELAY: - HIP_DEBUG("Disabling ESP relay\n"); + HIP_DEBUG("To disable ESP relay, restart hipfw without -r option\n"); hip_fw_uninit_esp_relay(); break; case HIP_MSG_GET_HA_INFO: === modified file 'hipfw/main.c' --- hipfw/main.c 2012-05-12 06:54:33 +0000 +++ hipfw/main.c 2012-07-19 12:00:32 +0000 @@ -74,6 +74,7 @@ puts(" -p = run with lowered privileges. iptables rules will not be flushed on exit"); puts(" -t <seconds> = set timeout interval to <seconds>. Disable if <seconds> = 0"); puts(" -u = attempt to speed up esp traffic using iptables rules"); + puts(" -r = enable ESP relaying (HIP relaying for HIP daemon needs to be enabled separately)"); puts(" -h = print this help"); puts(""); } @@ -102,7 +103,7 @@ char *end_of_number; int ch; - while ((ch = getopt(argc, argv, "aAbcdef:FhHiIklmpt:uvV")) != -1) { + while ((ch = getopt(argc, argv, "aAbcdef:FhHiIklmprt:uvV")) != -1) { switch (ch) { case 'A': accept_hip_esp_traffic_by_default = 1; @@ -167,6 +168,9 @@ case 'u': esp_speedup = 1; break; + case 'r': + esp_relay = 1; + break; case 'v': log_level = LOGDEBUG_MEDIUM; hip_set_logfmt(LOGFMT_SHORT);