[hipl-users] Re: Problems with RVS

  • From: Miika Komu <mkomu@xxxxxxxxx>
  • To: hipl-users@xxxxxxxxxxxxx
  • Date: Tue, 22 Oct 2013 13:49:19 +0300

Hi Paola,

I tried rendezvous in my local network. For me, Teredo addresses failed to work, possibly because of so called NAT hairpinning problems (all hosts behind the same NAT), so I could not run any traffic on top of Teredo. So, I will show you how it works on plain IPv6.

The hosts are:
Initiator: 3ffe::1
Rendezvous 3ffe::2
Responder: 3ffe::3

1. Enable rendezvous at rendezvous (you can also modify hipd.conf):

   sudo hipconf daemon add service rvs

2. Register to rvs at the the responder and verify it works:

sudo hipconf daemon add server rvs 2001:1a:493f:a501:6481:6b4:cfdb:6d4e 3ffe::2 11111

  hipconf daemon get ha all
    Sending user message 22 to HIPD on socket 3
    Sent 40 bytes
    Waiting to receive daemon info.
    248 bytes received from HIP daemon.
    HA is ESTABLISHED
    Shotgun mode is off.
    Broadcast mode is off.
    Local HIT: 2001:0016:8c08:9ca9:9e41:059d:95e7:7d2f
    Peer  HIT: 2001:001a:493f:a501:6481:06b4:cfdb:6d4e
    Local LSI: 1.0.0.1
    Peer  LSI: 1.0.0.2
    Local IP: 3ffe:0000:0000:0000:0000:0000:0000:0003
    Local NAT traversal UDP port: 0
    Peer  IP: 3ffe:0000:0000:0000:0000:0000:0000:0002
    Peer  NAT traversal UDP port: 0
    Peer  hostname: debian32
    Peer has granted us rendezvous service

3. Initiate base exchange at the initiator (via rvs)

  hipconf  daemon add map 2001:16:8c08:9ca9:9e41:059d:95e7:7d2f 3ffe::2
  ping6 2001:16:8c08:9ca9:9e41:059d:95e7:7d2f
  root@gaijin:~# ping6 2001:16:8c08:9ca9:9e41:059d:95e7:7d2f
PING 2001:16:8c08:9ca9:9e41:059d:95e7:7d2f(2001:16:8c08:9ca9:9e41:59d:95e7:7d2f)
  56 data bytes
64 bytes from 2001:16:8c08:9ca9:9e41:59d:95e7:7d2f: icmp_seq=2 ttl=64 time=1.44 ms 64 bytes from 2001:16:8c08:9ca9:9e41:59d:95e7:7d2f: icmp_seq=3 ttl=64 time=1.36 ms

I was also running tcpdump at the initiator to make sure that the traffic goes through the rvs:

tcpdump -n -i any proto 139 or esp
13:20:33.356457 IP6 3ffe::1 > 3ffe::2: ip-proto-139 40
13:20:33.397397 IP6 3ffe::3 > 3ffe::1: ip-proto-139 664
13:20:33.417302 IP6 3ffe::1 > 3ffe::3: ip-proto-139 608
13:20:33.462743 IP6 3ffe::3 > 3ffe::1: ip-proto-139 216
13:20:34.351457 IP6 3ffe::1 > 3ffe::3: ESP(spi=0x94eb338c,seq=0x1), length 116 13:20:34.352712 IP6 3ffe::3 > 3ffe::1: ESP(spi=0x6118aed8,seq=0x1), length 116 13:20:35.352870 IP6 3ffe::1 > 3ffe::3: ESP(spi=0x94eb338c,seq=0x2), length 116 13:20:35.354062 IP6 3ffe::3 > 3ffe::1: ESP(spi=0x6118aed8,seq=0x2), length 116

If you observe the first the packets, you'll see that I1 packet goes to the rendezvous (size 40) (which the rendezvous forwards to responder). Then the responder replies directly back to the initiator (R1, size 664) and further communications (I2, R2, ESP) are carried without rendezvous interaction.

P.S. Please note that observing teredo-encapsulated traffic requires different rules.

On 10/21/2013 12:17 PM, Paola Venuso wrote:
Hi Miika,

I set up three machines and used Teredo addresses to test RVS service
but it did'nt worked. I captured the traffic with wireshark and there
was no HIP packets. Also  "hipconf daemon get ha all" showed no HAs.
I followed the steps on the manual. Is there some particular
configuration for the host RVS ?

Thank you,

Paola




2013/10/20 Miika Komu <mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>

    Hi Paola,

    hmm, the infrahip.net <http://infrahip.net> network seems to have
    some IPv6 connectivity problems at the moment (at least for me), so
    I recommend that you set up three machines of your own (initiator,
    rendezvous and responder). A successful registration looks like this:

    $ sudo hipconf daemon add server rvs
    2001:1b:a9be:c6a6:34e5:8361:__c07f:a990 193.167.187.134 1111
    Requesting 1 service for 1024 seconds (lifetime 0x90) from
    2001:1b:a9be:c6a6:34e5:8361:__c07f:a990 193.167.187.134.
    Sending user message 104 to HIPD on socket 3
    Sent 96 bytes

    Waiting to receive daemon info.
    96 bytes received from HIP daemon.
    User message was sent successfully to the HIP daemon.


    $ hipconf daemon get ha all
    Sending user message 22 to HIPD on socket 3
    Sent 40 bytes
    Waiting to receive daemon info.
    456 bytes received from HIP daemon.

    HA is ESTABLISHED
      Shotgun mode is off.
      Broadcast mode is off.
      Local HIT: 2001:0019:11ac:e3af:2367:11a4:__1a36:36ec
      Peer  HIT: 2001:001b:a9be:c6a6:34e5:8361:__c07f:a990
      Local LSI: 1.0.0.1
      Peer  LSI: 1.0.0.100
      Local IP: 192.168.1.127

      Local NAT traversal UDP port: 10500
      Peer  IP: 193.167.187.134
      Peer  NAT traversal UDP port: 10500
      Peer  hostname: crossroads.infrahip.net
    <http://crossroads.infrahip.net>
      Peer has granted us rendezvous service
                          ^^^^^^^^^^
    HA is ESTABLISHED



    On 10/20/2013 01:43 AM, Paola Venuso wrote:

        Hi Miika,

        thank you for re-enabling the service. I tried the connection
        with IPv4
        and as you expected it didn't work.
        To priorize the IPv6 addresses I edited gai.conf file
        uncommenting the
        lines:

        label ::1/128       0
        label ::/0          1
        label 2002::/16     2
        label ::/96         3
        label ::ffff:0:0/96 4
        label fec0::/10     5
        label fc00::/7      6

        I tested IPv6 visiting ipv6-test.com <http://ipv6-test.com>
        <http://ipv6-test.com> that gave me

        this result:

        When both protocols are available, your browser uses
        IPv6
        Your internet connection is IPv6 capable
        2001:0:53aa:64c:807:6e66:a269:__1d27^ [?
        <http://db-ip.com/2001%3A0%__3A53aa%3A64c%3A807%3A6e66%__3Aa269%3A1d27
        <http://db-ip.com/2001%3A0%3A53aa%3A64c%3A807%3A6e66%3Aa269%3A1d27>>]

        Address type is
        Teredo <http://wikipedia.org/wiki/__Teredo_tunneling
        <http://wikipedia.org/wiki/Teredo_tunneling>>
        Tunneling from *93.150.226.216:37273
        <http://93.150.226.216:37273> <http://93.150.226.216:37273>*
        (server *83.170.6.76*)


        So I guess this part is ok.
        Then I registered to crossroads using its IPv6 address and tried nc6
        connection from the initiator. Previously at the initiator  I edited
        /etc/hosts (in wich I included IPv6 address of crossroads and the
        responder hostname) and /etc/hip/hosts (in wich I included HIT and
        hostname of the responder) and also restarted both machines. But the
        initiator couldn't reach the responder.
        Did I do something wrong?

        Thanks,

        Paola



        2013/10/19 Miika Komu <mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>
        <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>>


             Hi Paola,

             I have re-enabled RVS functionality in crossroads and
        ashenvale now.
             Please bare in mind that a IPv4-over-UDP base exchange may
        not work
             because your NAT may block it (Teredo may be needed).


             On 10/19/2013 04:51 PM, Paola Venuso wrote:

                 Hi Miika,

                 I read on the manual that crossroads could have been
        used as
                 rvs. This
                 is written above the table in which are indicated the
        addresses
                 of the
                 test servers. Maybe I misunderstood what is written.
                 Anyway I'm installing ubuntu on another computer and
        trying to
                 configure
                 the server myself.

                 Thanks again,

                 Paola

                 Il giorno 19/ott/2013 14:40, "Miika Komu"
        <mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>
                 <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>
                 <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>
        <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>>> ha scritto:



                      Hi Paolo,

                      crossroads is not configured to act as a
        rendezvous (or
                 relay). You
                      should deploy and install your own rendezvous
        server. When
                 you have
                      done so, you will see some additional registration
                 information in
                      hipconf output at the responder and then also the
        initiator
                 succeeds
                      with the base exchange.

                      On 10/18/2013 09:44 PM, Paola Venuso wrote:

                          Hi Miika,

                          I replaced Windows with Ubuntu on my PCs and
        now the simple
                          connection
                          between the two hosts works perfectly! :D
                          But I have problems with RVS. I tried
        registering with
        crossoroads.infrahip.net <http://crossoroads.infrahip.net>
        <http://crossoroads.infrahip.__net
        <http://crossoroads.infrahip.net>>
                 <http://crossoroads.infrahip.____net
                 <http://crossoroads.infrahip.__net
        <http://crossoroads.infrahip.net>>>
                          <http://crossoroads.infrahip.______net


                          <http://crossoroads.infrahip.____net
                 <http://crossoroads.infrahip.__net
        <http://crossoroads.infrahip.net>>>> and then
                          started the connection (using different
        configuration).
                 Only I1
                          packet
                          was sent. I stopped the connection and run
        "hipconf
                 daemon get
                          ha all".
                          At the responder I had this output:

                          paola@ProBook:~$ hipconf daemon get ha all
                          Sending user message 22 to HIPD on socket 3
                          Sent 40 bytes
                          Waiting to receive daemon info.
                          240 bytes received from HIP daemon.
                          HA is ESTABLISHED
                             Shotgun mode is off.
                             Broadcast mode is off.
                             Local HIT:
        2001:0018:66b5:52d3:e479:7810:______8446:133b
                             Peer  HIT:
        2001:001b:a9be:c6a6:34e5:8361:______c07f:a990


                             Local LSI: 1.0.0.1
                             Peer  LSI: 1.0.0.2
                             Local IP: 192.168.1.210
                             Local NAT traversal UDP port: 10500
                             Peer  IP: 193.167.187.134
                             Peer  NAT traversal UDP port: 10500
                             Peer  hostname: crossroads.infrahip.net
        <http://crossroads.infrahip.net>
                 <http://crossroads.infrahip.__net
        <http://crossroads.infrahip.net>>
                          <http://crossroads.infrahip.____net
                 <http://crossroads.infrahip.__net
        <http://crossroads.infrahip.net>>>
                          <http://crossroads.infrahip.______net

                 <http://crossroads.infrahip.____net
        <http://crossroads.infrahip.__net
        <http://crossroads.infrahip.net>>>>



                          While at the initiator I had this output:

                          paola@ProBook:~$ hipconf daemon get ha all
                          Sending user message 22 to HIPD on socket 3
                          Sent 40 bytes
                          Waiting to receive daemon info.
                          240 bytes received from HIP daemon.
                          HA is I1-SENT
                             Shotgun mode is off.
                             Broadcast mode is off.
                             Local HIT:
        20011:0013:e87a:b8e4:68c8:______258b:0fb4:68b8
                             Peer  HIT:
        2001:0018:66b5:52d3:e479:7810:______8446:133b


                             Local LSI: 1.0.0.1
                             Peer  LSI: 1.0.0.2
                             Local IP: 192.168.1.184
                             Local NAT traversal UDP port: 10500
                             Peer  IP: 193.167.187.134
                             Peer  NAT traversal UDP port: 10500
                             Peer  hostname:

                          Thanks,

                          Paola


                          2013/10/17 Paola Venuso <pa.venuso@xxxxxxxxx
        <mailto:pa.venuso@xxxxxxxxx>
                 <mailto:pa.venuso@xxxxxxxxx <mailto:pa.venuso@xxxxxxxxx>>
                          <mailto:pa.venuso@xxxxxxxxx
        <mailto:pa.venuso@xxxxxxxxx>
                 <mailto:pa.venuso@xxxxxxxxx
        <mailto:pa.venuso@xxxxxxxxx>>> <mailto:pa.venuso@xxxxxxxxx
        <mailto:pa.venuso@xxxxxxxxx>
                 <mailto:pa.venuso@xxxxxxxxx <mailto:pa.venuso@xxxxxxxxx>>

                          <mailto:pa.venuso@xxxxxxxxx
        <mailto:pa.venuso@xxxxxxxxx> <mailto:pa.venuso@xxxxxxxxx
        <mailto:pa.venuso@xxxxxxxxx>>>>__>


                               Hi Miika,

                               the reason why I used virtual machines is
        that I
                 couldn't
                          use Linux
                               as the host machine. But now I convinced
        myself to
                 use it
                          because
                               this test I have to run is for the last
        part of my
                 thesis
                          in which I
                               have to use InfraHIP implementation.
        About miredo
                          configuration, I
                               have the default one (I only installed
        the miredo
                 packet as the
                               manual says) .
                               Tonight I'm going to install Linux on my
        machines
                 and then
                          to try
                               again the test. I hope everything would
        be ok.
                 I'll let you
                          know.

                               Thank you for everything,

                               Paola


                               2013/10/17 Miika Komu <mkomu@xxxxxxxxx
        <mailto:mkomu@xxxxxxxxx>
                 <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>
                          <mailto:mkomu@xxxxxxxxx
        <mailto:mkomu@xxxxxxxxx> <mailto:mkomu@xxxxxxxxx
        <mailto:mkomu@xxxxxxxxx>>>
                 <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>
        <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>
                          <mailto:mkomu@xxxxxxxxx
        <mailto:mkomu@xxxxxxxxx> <mailto:mkomu@xxxxxxxxx
        <mailto:mkomu@xxxxxxxxx>>>>>

                                   Hi Paola,

                                   (returning offline discussion to online)

                                   my guess of the origins of your
        problem is
                 that the
                          host machine
                                   of your virtual machines is Windows,
        and it
                 does not
                          allow raw
                                   sockets, even for virtual machines.
        This is
                 probably
                          the reason
                                   why HIP-over-UDP-over-IPv4 works, but
                 HIP-over-IPv6
                          doesn't.

                                   If you really want to do NAT
        traversal with
                 HIP, please
                          consider:

                                   1. Using Linux (or OS-X) as the host
        machine
                 (Linux
                          live CD/USB
                                   images are available)
                                   2. Use HIP over UDP and IPv4, and
        employ the relay
                          server as
                                   instructed in the manual (the relay
        server
                 requires a
                          public
                                   IPv4 address)

                                   Btw, your Teredo configuration is not
        fully
                 functional
                          because I
                                   can't reach your VMs, even though you
        can reach by
                          yourself.

                                   P.S. OpenHIP has some native support
        for Windows.


                                   On 10/16/2013 07:45 PM, Paola Venuso
        wrote:

                                       Hi Miika,


                                       at the initiator:

                                       paola2@ubuntu2:~$ lsmod|grep xfrm
                                       xfrm_user              31160  1
                                       xfrm_algo              14952  3
                 xfrm_user,esp6,esp4
                                       xfrm6_mode_beet        12577  1
                                       xfrm4_mode_beet        12498  1



                                       at the responder :

                                       paola@ubuntu:~$ lsmod|grep xfrm
                                       xfrm_user              31160  1
                                       xfrm_algo              14952  3
                 xfrm_user,esp6,esp4
                                       xfrm6_mode_beet        12577  2
                                       xfrm4_mode_beet        12498  2


                                       Then I used ping6 with the server
        address
                 and I
                          could reach
                                       it. I
                                       invoked add map command and ping6 and
                 waited for
                          more then a
                                       minute but
                                       nothing happened so I stopped it:

                                       paola@ubuntu:~$ ping6

                   2001:10:5403:41fe:a5df:5f02:________9680:b6d2PING



        
2001:10:5403:41fe:a5df:5f02:________9680:b6d2(2001:10:5403:__41fe:______a5df:5f02:9680:__b6d2)

                                       56 data bytes
                                       ^C
                                       ---
                 2001:10:5403:41fe:a5df:5f02:________9680:b6d2 ping


                          statistics ---
                                       222 packets transmitted, 0
        received, 100%
                 packet
                          loss, time
                                       221196ms

                                       paola@ubuntu:~$ hipconf daemon
        get ha all
                                       Sending user message 22 to HIPD
        on socket 3
                                       Sent 40 bytes
                                       Waiting to receive daemon info.
                                       240 bytes received from HIP daemon.
                                       HA is I1-SENT
                                          Shotgun mode is off.
                                          Broadcast mode is off.
                                          Local HIT:
                          2001:0012:421d:99a0:005d:d60f:________73b0:4407
                                          Peer  HIT:
                          2001:0010:5403:41fe:a5df:5f02:________9680:b6d2


                                          Local LSI: 1.0.0.1
                                          Peer  LSI: 1.0.0.2
                                          Local IP:
                          3ffe:0000:0000:0000:0000:0000:________0000:0002


                                          Local NAT traversal UDP port: 0
                                          Peer  IP:
                          3ffe:0000:0000:0000:0000:0000:________0000:0001


                                          Peer  NAT traversal UDP port: 0
                                          Peer  hostname:






                                       2013/10/16 Miika Komu
        <mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>
                 <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>
                          <mailto:mkomu@xxxxxxxxx
        <mailto:mkomu@xxxxxxxxx> <mailto:mkomu@xxxxxxxxx
        <mailto:mkomu@xxxxxxxxx>>>
                                       <mailto:mkomu@xxxxxxxxx
        <mailto:mkomu@xxxxxxxxx>
                 <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>
        <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>
                 <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>>>
                          <mailto:mkomu@xxxxxxxxx
        <mailto:mkomu@xxxxxxxxx> <mailto:mkomu@xxxxxxxxx
        <mailto:mkomu@xxxxxxxxx>>
                 <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>
        <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>>
                                       <mailto:mkomu@xxxxxxxxx
        <mailto:mkomu@xxxxxxxxx>
                 <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>
        <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>
                 <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>>>>>



                                            Hi Paola,


                                            On 10/16/2013 12:46 PM,
        Paola Venuso
                 wrote:

                                                Hi Miika,

                                                I deleted the incorrect
        line with
                          "hipconf" and
                                       changed the
                                                debug mode
                                                to "all". I'm sending
        two emails
                 with the
                          output of
                                       the debug
                                                because
                                                the message is too big.


                                            What does "lsmod|grep xfrm"
        give you? It
                          should be:
                                            xfrm_user              35921  1
                                            xfrm6_mode_beet        12658  7
                                            xfrm4_mode_beet        12611  7


                                                This is the output of
        the initiator


                                            I failed to see any 3ffe::xx/64
                 addresses in
                          the log.
                                       Did you forget
                                            to invoke "hipconf daemon
        add map"?

                                            Here's an example (please do
        not copy
                 paste
                          blindly,
                                       you need to
                                            change the addresses and
        interface
                 names):

                                            server:
                                               sudo ip addr add
        3ffe::1/64 dev
                 eth0 # add
                          IPv6 addr
                                       for server

                                            client:
                                               sudo ip addr add
        3ffe::2/64 dev
                 eth0 # add
                          IPv6 addr
                                       for client
                                               ping6 3ffe::2 # can you
        reach the
                 server?
                                               sudo hipconf daemon rst all #
                 reset hipd
                          daemon state
                                               hipconf daemon add map

        2001:15:e156:8a78:3226:dbaa:__________f2ff:ed06
                                            3ffe::1
                                               ping6
                          2001:15:e156:8a78:3226:dbaa:__________f2ff:ed06



                                               <wait for one minute>
                                               PING




        
2001:15:e156:8a78:3226:dbaa:__________f2ff:ed06(2001:15:e156:____8a78:______3226:dbaa:f2ff:____ed06)


                                            56 data bytes
                                            64 bytes from

                   2001:15:e156:8a78:3226:dbaa:__________f2ff:ed06:
        icmp_seq=2


                                            ttl=64 time=29.8 ms
                                            64 bytes from

                   2001:15:e156:8a78:3226:dbaa:__________f2ff:ed06:
        icmp_seq=3



                                            ttl=64 time=47.5 ms

                                            I'd like to see "hipconf
        daemon get
                 ha all" output
                                       after this.
















Other related posts: