[hipl-dev] [Branch ~hipl-core/hipl/trunk] Rev 6390: A bug fix and a documentation update to the relay functionality
- From: noreply@xxxxxxxxxxxxx
- To: HIPL core team <hipl-dev@xxxxxxxxxxxxx>
- Date: Thu, 19 Jul 2012 12:01:13 -0000
------------------------------------------------------------
revno: 6390
committer: Miika Komu <miika@xxxxxx>
branch nick: hipl
timestamp: Thu 2012-07-19 15:00:32 +0300
message:
A bug fix and a documentation update to the relay functionality
The HIP and ESP relay functionality are located in hipd and hipfw. The
former forwards control plane and the latter data plane to overcome
NAT devices that do not support e.g. Teredo-based penetration. This
functionality was broken twice in hipfw.
Firstly, a relay registration failed because the hipfw code didn't
distinguish between a registration (destination HIT is the relay) and
a relayed connection (destination HIT is not the relay). Now it does
again.
Secondly, the relay failed to forward the ESP data plane due to an
initialisation failure. The hipfw initialised the corresponding
iptables rules when it received a message from hipd indicating that
the relay was enabled. While this supported dynamic initialisation,
the hipfw had already lowered its privileges and consquently executing
iptables failed.
One possible way to solve the second issue would have been to require
omitting privilege downgrade when using the relay but this would have
been a bad idea from the view point of security. So, I decided to
change the dynamic relay configuration option into a static command
line option to avoid the chicken-and-egg problem with the hipfw. Now
the HIP vs. ESP relay functionality is also decoupled which I believe
is marginally more useful. This now identified in a more clear way in
the manual as well.
modified:
doc/HOWTO.xml.in
hipfw/conntrack.c
hipfw/hipfw.c
hipfw/hipfw_control.c
hipfw/main.c
--
lp:hipl
https://code.launchpad.net/~hipl-core/hipl/trunk
Your team HIPL core team is subscribed to branch lp:hipl.
To unsubscribe from this branch go to
https://code.launchpad.net/~hipl-core/hipl/trunk/+edit-subscription
=== modified file 'doc/HOWTO.xml.in'
--- doc/HOWTO.xml.in 2012-07-13 13:16:17 +0000
+++ doc/HOWTO.xml.in 2012-07-19 12:00:32 +0000
@@ -1907,9 +1907,11 @@
<title>HIP Relay Mechanisms</title>
<note><title>NOTE:</title>
<para>
- The HIP relay mechanisms are still under construction.
- Therefore, the forwarding mechanisms presented herein do not work. Only
- the relay service registration works.
+ The HIP relay mechanisms are experimental and you should always couple
+ it with the access control mechanisms of hipfw to avoid becoming an
+ open relay. Please also note that the control and data plane relaying
+ have to be enabled separately (the former in hipd and the latter in
+ hipfw).
</para>
</note>
<abstract>
@@ -1988,13 +1990,20 @@
</programlisting>
</para></listitem>
<listitem><para>
- At the relay server, we have to indicate that we are willing to
offer
- relay service:
+ At the relay server, we have to indicate that we are willing to
+ offer HIP relay service (control plane only):
<programlisting>
hipconf daemon add service relay
</programlisting>
</para></listitem>
<listitem><para>
+ If the relay server should forward also ESP (data plane), you must
+ enable it separately by restarting hipfw and include the -r option:
+ <programlisting>
+ hipfw -bklpFr
+ </programlisting>
+ </para></listitem>
+ <listitem><para>
At the responder, we have to register to the relay server:
<programlisting>
hipconf daemon add server relay <RELAY-HIT>
<RELAY-IP> <LIFETIME-IN-SECONDS>
=== modified file 'hipfw/conntrack.c'
--- hipfw/conntrack.c 2012-05-12 10:21:32 +0000
+++ hipfw/conntrack.c 2012-07-19 12:00:32 +0000
@@ -938,7 +938,8 @@
uint32_t spi;
const struct hip_esp_info *esp_info;
- if (esp_relay && ctx->udp_encap_hdr) {
+ if (esp_relay && ctx->udp_encap_hdr &&
+ !fw_hit_is_our(&common->hit_sender)) {
HIP_ASSERT((hip_get_msg_type(common) == HIP_R2));
HIP_IFEL(!(relay_to = hip_get_param(common, HIP_PARAM_RELAY_TO)), -1,
=== modified file 'hipfw/hipfw.c'
--- hipfw/hipfw.c 2012-05-12 10:21:32 +0000
+++ hipfw/hipfw.c 2012-07-19 12:00:32 +0000
@@ -508,6 +508,8 @@
midauth_init();
hipfw_midauth_update_nonces();
+ hip_fw_init_esp_relay();
+
HIP_IFEL(cert_init(), -1, "failed to load extension (cert)\n");
// Initializing local port cache database
@@ -528,7 +530,8 @@
{
int err = 0;
- esp_relay = 1;
+ if (esp_relay == 0)
+ return 0;
/* Required for ESP relay and might not be active */
if (!filter_traffic) {
@@ -549,6 +552,11 @@
*/
void hip_fw_uninit_esp_relay(void)
{
+ if (esp_relay == 0) {
+ HIP_DEBUG("ESP relay was already uninitialized\n");
+ return;
+ }
+
esp_relay = 0;
if (restore_filter_traffic == 0) {
@@ -645,6 +653,8 @@
fw_uninit_lsi_support();
hip_fw_uninit_conntrack();
+ hip_fw_uninit_esp_relay();
+
cert_uninit();
#ifdef CONFIG_HIP_PERFORMANCE
=== modified file 'hipfw/hipfw_control.c'
--- hipfw/hipfw_control.c 2012-05-12 06:54:33 +0000
+++ hipfw/hipfw_control.c 2012-07-19 12:00:32 +0000
@@ -136,14 +136,12 @@
break;
case HIP_MSG_OFFER_FULLRELAY:
if (!esp_relay) {
- HIP_DEBUG("Enabling ESP relay\n");
+ HIP_ERROR("Enable ESP relay with option -r for hipfw!\n");
hip_fw_init_esp_relay();
- } else {
- HIP_DEBUG("ESP relay already enabled\n");
}
break;
case HIP_MSG_CANCEL_FULLRELAY:
- HIP_DEBUG("Disabling ESP relay\n");
+ HIP_DEBUG("To disable ESP relay, restart hipfw without -r option\n");
hip_fw_uninit_esp_relay();
break;
case HIP_MSG_GET_HA_INFO:
=== modified file 'hipfw/main.c'
--- hipfw/main.c 2012-05-12 06:54:33 +0000
+++ hipfw/main.c 2012-07-19 12:00:32 +0000
@@ -74,6 +74,7 @@
puts(" -p = run with lowered privileges. iptables rules will not be
flushed on exit");
puts(" -t <seconds> = set timeout interval to <seconds>. Disable if
<seconds> = 0");
puts(" -u = attempt to speed up esp traffic using iptables rules");
+ puts(" -r = enable ESP relaying (HIP relaying for HIP daemon needs to
be enabled separately)");
puts(" -h = print this help");
puts("");
}
@@ -102,7 +103,7 @@
char *end_of_number;
int ch;
- while ((ch = getopt(argc, argv, "aAbcdef:FhHiIklmpt:uvV")) != -1) {
+ while ((ch = getopt(argc, argv, "aAbcdef:FhHiIklmprt:uvV")) != -1) {
switch (ch) {
case 'A':
accept_hip_esp_traffic_by_default = 1;
@@ -167,6 +168,9 @@
case 'u':
esp_speedup = 1;
break;
+ case 'r':
+ esp_relay = 1;
+ break;
case 'v':
log_level = LOGDEBUG_MEDIUM;
hip_set_logfmt(LOGFMT_SHORT);
Other related posts:
- » [hipl-dev] [Branch ~hipl-core/hipl/trunk] Rev 6390: A bug fix and a documentation update to the relay functionality - noreply
