On Tue, Jun 23, 2020 at 11:24:59PM +0200, Michael Tuexen wrote: > > On 23. Jun 2020, at 23:21, Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx> wrote: > > > > On Tue, Jun 23, 2020 at 11:17:56AM -0500, Corey Minyard wrote: > >> On Tue, Jun 23, 2020 at 01:17:28PM +0000, David Laight wrote: > >>> From: Marcelo Ricardo Leitner > >>>> Sent: 22 June 2020 19:33 > >>>> On Mon, Jun 22, 2020 at 08:01:24PM +0200, Michael Tuexen wrote: > >>>>>> On 22. Jun 2020, at 18:57, Corey Minyard <minyard@xxxxxxx> wrote: > >>>>>> > >>>>>> On Mon, Jun 22, 2020 at 08:01:23PM +0800, Xin Long wrote: > >>>>>>> On Sun, Jun 21, 2020 at 11:56 PM Corey Minyard <minyard@xxxxxxx> wrote: > >>>>>>>> > >>>>>>>> I've stumbled upon a strange problem with SCTP and IPv6. If I create an > >>>>>>>> sctp listening socket on :: and set the IPV6_V6ONLY socket option on it, > >>>>>>>> then I make a connection to it using ::1, the connection will drop after > >>>>>>>> 2.5 seconds with an ECONNRESET error. > >>>>>>>> > >>>>>>>> It only happens on SCTP, it doesn't have the issue if you connect to a > >>>>>>>> full IPv6 address instead of ::1, and it doesn't happen if you don't > >>>>>>>> set IPV6_V6ONLY. I have verified current end of tree kernel.org. > >>>>>>>> I tried on an ARM system and x86_64. > >>>>>>>> > >>>>>>>> I haven't dug into the kernel to see if I could find anything yet, but I > >>>>>>>> thought I would go ahead and report it. I am attaching a reproducer. > >>>>>>>> Basically, compile the following code: > >>>>>>> The code only set IPV6_V6ONLY on server side, so the client side will > >>>>>>> still bind all the local ipv4 addresses (as you didn't call bind() to > >>>>>>> bind any specific addresses ). Then after the connection is created, > >>>>>>> the client will send HB on the v4 paths to the server. The server > >>>>>>> will abort the connection, as it can't support v4. > >>>>>>> > >>>>>>> So you can work around it by either: > >>>>>>> > >>>>>>> - set IPV6_V6ONLY on client side. > >>>>>>> > >>>>>>> or > >>>>>>> > >>>>>>> - bind to the specific v6 addresses on the client side. > >>>>>>> > >>>>>>> I don't see RFC said something about this. > >>>>>>> So it may not be a good idea to change the current behaviour > >>>>>>> to not establish the connection in this case, which may cause regression. > >>>>>> > >>>>>> Ok, I understand this. It's a little strange, but I see why it works > >>>>>> this way. > >>>>> I don't. I would expect it to work as I described in my email. > >>>>> Could someone explain me how and why it is behaving different from > >>>>> my expectation? > >>>> > >>>> It looks like a bug to me. Testing with this test app here, I can see > >>>> the INIT_ACK being sent with a bunch of ipv4 addresses in it and > >>>> that's unexpected for a v6only socket. As is, it's the server saying > >>>> "I'm available at these other addresses too, but not." > >>> > >>> Does it even make sense to mix IPv4 and IPv6 addresses on the same > >>> connection? > >>> I don't remember ever seeing both types of address in a message, > >>> but may not have looked. > >> > >> That's an interesting question. Do the RFCs say anything? I would > >> assume it was ok unless ipv6only was set. > >> > >>> > >>> I also wonder whether the connection should be dropped for an error > >>> response on a path that has never been validated. > >> > >> That actually bothered me a bit more. Shouldn't it stay up if any path > >> is up? That's kind of the whole point of multihoming. > > > > Michael explained it on the other email. What he described is what I > > observed in my tests. > > > >> > >>> > >>> OTOH the whole 'multi-homing' part of SCTP sucks. > >> > >> I don't think so. > >> > >>> The IP addresses a server needs to bind to depend on where the > >>> incoming connection will come from. > >>> A local connection may be able to use a 192.168.x.x address > >>> but a remote connection must not - as it may be defined locally > >>> at the remote system. > >>> But both connections can come into the public (routable) address. > >>> We have to tell customers to explicitly configure the local IP > >>> addresses - which means the application has to know what they are. > >>> Fortunately these apps are pretty static - usually M3UA. > >> > >> Umm, no, If you have a private address, it better be behind a firewall, > >> and the firewall should handle rewriting the packet to fix the addresses. > >> > >> It doesn't appear that Linux netfilter does this. There is a TODO in > >> the code for this. But that's how it *should* work. > > > > Right, we don't support SCTP aware NAT [1]. > > > > 1.https://tools.ietf.org/html/draft-stewart-behave-sctpnat-04 > The current version is: https://tools.ietf.org/html/draft-ietf-tsvwg-natsupp-16 Thanks! > > Another possibility for NAT traversal is UDP encapsulation... Also not supported.. :-] Best regards, Marcelo > > Best regards > Michael > > > > Marcelo > > > >> > >> -corey > >> > >>> > >>> David > >>> > >>> - > >>> Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK > >>> Registration No: 1397386 (Wales) > >>> >