[hipl-users] Re: Why is hipl using NAT when perfectly good IPv6 connectivity

  • From: Miika Komu <mkomu@xxxxxxxxx>
  • To: hipl-users@xxxxxxxxxxxxx
  • Date: Sat, 12 Apr 2014 16:43:48 +0300

Hi,

On 04/11/2014 04:53 PM, Robert Moskowitz wrote:
OK.  This is basically bad behaviour...  Intitiator is F20, responder is
Centos6.  Both set for HIPv1.

Default config.  Though on the Centos server, I turned off NAT support.
(and DYNDNS update)

remember to restart hipd or operate from command line (see below).

I have two systems on the same subnet.

The IPv4 addresses are public, 208.86.67.136/29.  I pay $10/mo for my
/26 allocation.
The IPv6 addresses are public, 2607:f4b8:3:13::/64. My allocation is
2607:f4b8:3::/48.

So why if I ping6 is the client using NAT traversal????

Minimally it should be using IPv6.  It is there.
Worst IPv4 native.

This is unacceptable behaviour.  HELP????

Let's try a connection with ashenvale using NAT traversal mode:

root@gaijin:~# hipconf daemon add map 2001:1c:cbae:47ae:2871:f9c:eb94:c8e3 193.167.187.133
Mapped v4 to v6.
mapped v6: 193.167.187.133
Sending user message 2 to HIPD on socket 3
Sent 88 bytes
Waiting to receive daemon info.
88 bytes received from HIP daemon.
User message was sent successfully to the HIP daemon.
root@gaijin:~# ping6 2001:1c:cbae:47ae:2871:f9c:eb94:c8e3
PING 2001:1c:cbae:47ae:2871:f9c:eb94:c8e3(2001:1c:cbae:47ae:2871:f9c:eb94:c8e3) 56 data bytes 64 bytes from 2001:1c:cbae:47ae:2871:f9c:eb94:c8e3: icmp_seq=2 ttl=56 time=10.2 ms
^C
--- 2001:1c:cbae:47ae:2871:f9c:eb94:c8e3 ping statistics ---
2 packets transmitted, 1 received, 50% packet loss, time 999ms
rtt min/avg/max/mdev = 10.210/10.210/10.210/0.000 ms

You can see from the port numbers that it is using UDP encapsulation:

root@gaijin:~# hipconf daemon get ha all
Sending user message 22 to HIPD on socket 3
Sent 40 bytes
Waiting to receive daemon info.
248 bytes received from HIP daemon.
HA is ESTABLISHED
 Shotgun mode is off.
 Broadcast mode is off.
 Local HIT: 2001:0015:e156:8a78:3226:dbaa:f2ff:ed06
 Peer  HIT: 2001:001c:cbae:47ae:2871:0f9c:eb94:c8e3
 Local LSI: 1.0.0.1
 Peer  LSI: 1.0.0.200
 Local IP: 192.168.1.2
 Local NAT traversal UDP port: 10500
 Peer  IP: 193.167.187.133
 Peer  NAT traversal UDP port: 10500
 Peer  hostname: ashenvale.infrahip.net
root@gaijin:~# ip xfrm state
src 192.168.1.2 dst 193.167.187.133
        proto esp spi 0xfce0fe22 reqid 0 mode beet
        replay-window 0
        auth-trunc hmac(sha1) 0xc477d50ff44c0120005f925e31fcf88a2fb3bb54 96
        enc cbc(aes) 0x3cccffed49ad47a6d153a208e4418496
        encap type espinudp sport 10500 dport 10500 addr 192.168.1.2
sel src 2001:15:e156:8a78:3226:dbaa:f2ff:ed06/128 dst 2001:1c:cbae:47ae:2871:f9c:eb94:c8e3/128
src 193.167.187.133 dst 192.168.1.2
        proto esp spi 0x79a0d883 reqid 0 mode beet
        replay-window 0
        auth-trunc hmac(sha1) 0xeae41a85e823d6e6fa30c6155e193ddb974c94b0 96
        enc cbc(aes) 0xcd6eb5a9a66d5159cdc6b80c3ca9ff54
        encap type espinudp sport 10500 dport 10500 addr 193.167.187.133
sel src 2001:1c:cbae:47ae:2871:f9c:eb94:c8e3/128 dst 2001:15:e156:8a78:3226:dbaa:f2ff:ed06/128

Now, let's reset, turn off NAT support and establish connection:

root@gaijin:~# sudo hipconf daemon rst all
root@gaijin:~# hipconf daemon nat none
Sending user message 130 to HIPD on socket 3
Sent 40 bytes
Waiting to receive daemon info.
40 bytes received from HIP daemon.
User message was sent successfully to the HIP daemon.
root@gaijin:~# hipconf daemon add map 2001:1c:cbae:47ae:2871:f9c:eb94:c8e3 193.167.187.133
Mapped v4 to v6.
mapped v6: 193.167.187.133
Sending user message 2 to HIPD on socket 3
Sent 88 bytes
Waiting to receive daemon info.
88 bytes received from HIP daemon.
User message was sent successfully to the HIP daemon.
root@gaijin:~# ping6 2001:1c:cbae:47ae:2871:f9c:eb94:c8e3
PING 2001:1c:cbae:47ae:2871:f9c:eb94:c8e3(2001:1c:cbae:47ae:2871:f9c:eb94:c8e3) 56 data bytes
^C
--- 2001:1c:cbae:47ae:2871:f9c:eb94:c8e3 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms

Host association fails because my NAT box drops HIP control packets. Anyway, the association is does not have any port numbers now:

root@gaijin:~# hipconf daemon get ha all
Sending user message 22 to HIPD on socket 3
Sent 40 bytes
Waiting to receive daemon info.
248 bytes received from HIP daemon.
HA is I1-SENT
 Shotgun mode is off.
 Broadcast mode is off.
 Local HIT: 2001:0015:e156:8a78:3226:dbaa:f2ff:ed06
 Peer  HIT: 2001:001c:cbae:47ae:2871:0f9c:eb94:c8e3
 Local LSI: 1.0.0.1
 Peer  LSI: 1.0.0.200
 Local IP: 192.168.1.2
 Local NAT traversal UDP port: 0
 Peer  IP: 193.167.187.133
 Peer  NAT traversal UDP port: 0
 Peer  hostname:

Yes, and it is really without UDP encapsulation:

tcpdump -n -i any port 10500 or esp or proto hip
16:42:59.872729 IP 192.168.1.2 > 193.167.187.133:  hip 40
16:42:59.974971 IP 192.168.1.2 > 193.167.187.133:  hip 40
16:43:00.177926 IP 192.168.1.2 > 193.167.187.133:  hip 40

Note: NAT stuff applies only to IPv4, IPv6 is always without UDP.

Other related posts: